BuyMeACoffee
Edit

SQLi

SQL Injection (SQLi) is a type of an injection attack that makes it possible to execute malicious SQL statements. These statements control a database server behind a web application. Attackers can use SQL Injection vulnerabilities to bypass application security measures.

Payloads

LogoGitHub - payloadbox/sql-injection-payload-list: ๐ŸŽฏ SQL Injection Payload ListGitHub
Payload list

Types

Error based

Forcing the database to perform some operation in which the result will be an error. Then try to extract some data from the database and show it in the error message.

Example

Boolean based

Relies on sending an SQL query to the database which forces the application to return a different result depending on whether the query returns a TRUE or FALSE result.

Example

Blind based

Sending payloads, observing the web applicationโ€™s response and the resulting behavior of the database server. Check payloads.

Example

Union based

UNION-based attacks allow the tester to easily extract information from the database. Because the UNION operator can only be used if both queries have the exact same structure, the attacker must craft a SELECT statement similar to the original query.

Example

Time based

Forces the database to wait for a specified amount of time (in seconds) before responding. The response time will indicate to the attacker whether the result of the query is TRUE or FALSE.

Example

SQLi to RCE

Using XAMP

https://kayran.io/blog/web-vulnerabilities/sqli-to-rcekayran.io

Payload

PreviousHTML | XSSNextSQLmap

Last updated

Was this helpful?