SQL Injection
Loading... You must enable iframes to see this image.

SQL Injection cheat sheet
Esp: for filter evasion


By RSnake

Note from the author: If you don't know how SQL Injection works, this page probably won't help you. This page is for people who already understand the basics of SQL Injection attacks but want a deep understanding of the nuances regarding filter evasion. This page will also not show you how to mitigate SQL Injection vectors or how to write the data dumping or DB tampering portion of the attack. It will simply show the underlying methodology and you can infer the rest. This document was built with similar structure to my XSS Cheat Sheet to aid researchers with precise and helpful information. Because this is a living document I suggest you continue to use this site to stay up to date.

I am in need of more versions of different databases. If you have access to a database that is not mentioned below and want to contribute, please email me. If you have an RSS reader feel free to subscribe to my very low volume SQL Injection RSS feed below:

SQL Injection


SQL Injection:
    Normal SQL Injection:

    Database support: [mySQL]


    Normal SQL Injection using encapsulated data:

    Database support: [mySQL]


    Blind SQL Injection to throw an error to validate that encapsulation isn't working. The goal here is to throw an error to cause the application to show us that it is not encapsulating quotes correctly:

    Database support: [mySQL]


    Blind SQL Injection creating an error using EXEC:

    Database support: [mySQL]


    Blind SQL Injection detection (this shouldn't give us the same result if filtering is in place as we would get if we excluded the AND 1 = 1 part. If it does give us the same result it shows that the application is vulnerable):

    Database support: [mySQL]


    Blind SQL Injection to attempt to locate tablenames by brute force iteration through potential names (you'll have to rename tablenames until you find a match):

    Database support: [mySQL]


    Using the USER_NAME() function in SQL Server to tell us if the user is running as the administrator:

    Database support: [mySQL | SQL]


    Evading escapes with backslashes (this assumes the application comments out a single quote with another single quote and by introducing a backslash before it, it comments out the singlequote that is added by the filter). This type of filter is applied by mySQL's mysql_real_escape_string() and PERL's DBD method $dbh->quote():

    Database support: [mySQL | SQL]


    More blind SQL Injection by attempting to create an error using the backslash method seen above:

    Database support: [mySQL | SQL]


    Creating errors by calling fake tables. This can help expose vulnerable applications by attempting to create an error by calling tables that are nonexistant (try this with and without the quotes):

    Database support: [mySQL | SQL]


    Dumping usernames (assuming there is a username table and quotes are not escaped):

    Database support: [mySQL | SQL]


    Enumerating through database table names. By changing the 116 to different numbers you can use logrithmic reduction to find the first char of the database table name. Then iterating through the first 1 in 1, 1 you can eventually get the whole table name. Originally found by Kevin Spett:

    Database support: [mySQL | SQL]


    Finding user supplied tables using the sysObjects table in SQL Server:

    Database support: [mySQL | SQL]


    Bypassing filter evasion using comment tags:

    Database support: [mySQL | SQL]




Character Encoding Calculator

ASCII Text:

Hex Value:
    URL:


    HTML (with semicolons):


Decimal Value:
    HTML (without semicolons):

Base64 Value
    Base64:



Database support reference table:


mySQL Vector works in mySQL. Most recently tested with _.
SQL Vector works in SQL Server. Most recently tested with _.

Note: if a vector is not marked it either does not work or it is untested.


SQL Injection
Written in vim, and UTF-8 encoded, for her pleasure.
All rights reserved, all wrongs observed.
© 2001-2014 RSnake