search

SQL injection

LogoPayloadsAllTheThings/SQL Injection at master · swisskyrepo/PayloadsAllTheThingsGitHubchevron-right

hashtag
Identify the SQLi

First thing you need to do is to identify that if SQL injection is possible or not.

You can identify the SQLi based on error or time.

You can use below payload for the same.

https://github.com/payloadbox/sql-injection-payload-list?tab=readme-ov-file#generic-sql-injection-payloadsgithub.comchevron-right

hashtag
Identify the Underlying system

You can do this from error you have received.

LogoPayloadsAllTheThings/SQL Injection at master · swisskyrepo/PayloadsAllTheThingsGitHubchevron-right
circle-info

If you came to know that MS SQL Server is there then you can run xp_cmdshell command.

Based on your identification you can craft the payload and run command.

You can use below payload based on the SQL server.

LogoPayloadsAllTheThings/SQL Injection at master · swisskyrepo/PayloadsAllTheThingsGitHubchevron-right

hashtag
Example

This is a one of the way i have performed SQLi in labs.

hashtag
MSSQL

I have found that underlying system is MSSQL from the error. I received.

So, I will enable execute OS Command first and then run the reverse shell command.

If you are testing this on the login form, you will receive a message stating "incorrect or invalid password." If you encounter a syntax error again—similar to what you experienced when using single quotes (1')—it indicates that your command did not execute successfully.

Then run the below command to get the shell.

PreviousPhishing for AccessNextMySQL

Last updated