How to Craft SQL Injection Payloads
So you suspect there’s an SQL injection (SQLi)… but you don’t know how to prove it…
Well you’ve come to the right place. This is my first instructional, inspired by my struggle to get through the MicroCMS-v2. I know there is SQLi but I just can’t seem to figure it out. So I’ll write this and hopefully will make a breakthrough.
About SQL
First of all, some people may rope use SQL injection synonymously with database injection as a whole, which may also include NoSQL injections. This write up will focust specifically on SQL databases.
SQL stands for Standard Querry Language, and it’s the way that Relational Databases interact with itself or other applications. NoSQL is a language to interacti with NON-Relational Databases. There a number of popular databases that use SQL like MySQL, PostgreSQL, Oracle Databae, and more. These can be called Relational DataBase Management Systems (RDBMS). If you can determine that an application has an SQL based database, you can start looking for SQLi.
Some basic commands that you can string together can be found here (don’t worry, we’ll go over more specifics in a little bit):
| Verbs | Modifiers | Data Types | Symbols (purpose) |
|---|---|---|---|
| SELECT | WHERE | Integer | ‘, " (String Delimiters) |
| INSERT | AND | Float | ; (SQL Statement Terminator) |
| UPDATE | OR | Char | –, # (Comment Delimiter) |
| DELETE | ORDER BY | Boolean | %, * (Wildcard Character) |
| DROP | LIMIT | Binary | +, "" (String Concatenation) |
| UNION | Date | -, +, <, > (Math Operators) | |
| Timestamp | = (Equivalence) | ||
| () (Calling Functions, Subqueries, and INSERTS) | |||
| %00 |