Note for SQLi

SQL Injection is a kind of vulnerability that allows attackers to insert some codes into original SQL statements to trigger some evil function, such as dumping the database or writing webshell. In this note, I will share some ideas about SQL injection.


  • Error-based injection
  • Union-based injection
  • Stacked injection
  • Blind injection
    • Boolean-based injection
    • Time-based injection


Error-based Injection

(1) floor(rand(0)*2)

Principle: The result of floor(rand(0)*2) is not random. When a statement is executed, floor(rand(0)*2)will be executed two times, one of which during judgment whether the related result should be put into the virtual result table, while another one happens when the result of flood(rand(0)*2)is being put into the virtual result table. (1. Should or not; 2. What should be put in)

(2) updatexml()

Principle: The second parameter of updatexml() asks for XPath expression. updatexml(xml_target, xpath_expr, new_xml)

(3) extractvaule()

(4) Overflow exp()

(5) Overflow bigint()

(6) Replication

(7) Misc

How To Utilize It

  1. Dumping the database. (password of administrators);
  2. Writing file. (write PHP webshell into the web server directory – SELECT 'zhz' INTO OUTFILE('/var/www/html/backdoor.php'));
  3. Read file. (read sensitive files such as configuration files – SELECT LOADFILE('/etc/passwd')).
  4. Second-order SQL injection. 


  1. Filter keywors and symbols, sanitize the input. (Keywords such as UNION,SELECT,FROM,OR,AND, or Using GPC)
  2. Parameterized queries. (Pre-compile the SQL statement) 
  3. Defend in depth. (Check the content of information flow between components on servers)

Interesting Payloads Collection

Leave a Reply