\documentclass[10pt,a4paper]{article} % Packages \usepackage{fancyhdr} % For header and footer \usepackage{multicol} % Allows multicols in tables \usepackage{tabularx} % Intelligent column widths \usepackage{tabulary} % Used in header and footer \usepackage{hhline} % Border under tables \usepackage{graphicx} % For images \usepackage{xcolor} % For hex colours %\usepackage[utf8x]{inputenc} % For unicode character support \usepackage[T1]{fontenc} % Without this we get weird character replacements \usepackage{colortbl} % For coloured tables \usepackage{setspace} % For line height \usepackage{lastpage} % Needed for total page number \usepackage{seqsplit} % Splits long words. %\usepackage{opensans} % Can't make this work so far. Shame. Would be lovely. \usepackage[normalem]{ulem} % For underlining links % Most of the following are not required for the majority % of cheat sheets but are needed for some symbol support. \usepackage{amsmath} % Symbols \usepackage{MnSymbol} % Symbols \usepackage{wasysym} % Symbols %\usepackage[english,german,french,spanish,italian]{babel} % Languages % Document Info \author{binca} \pdfinfo{ /Title (database-fingerprinting.pdf) /Creator (Cheatography) /Author (binca) /Subject (Database Fingerprinting Cheat Sheet) } % Lengths and widths \addtolength{\textwidth}{6cm} \addtolength{\textheight}{-1cm} \addtolength{\hoffset}{-3cm} \addtolength{\voffset}{-2cm} \setlength{\tabcolsep}{0.2cm} % Space between columns \setlength{\headsep}{-12pt} % Reduce space between header and content \setlength{\headheight}{85pt} % If less, LaTeX automatically increases it \renewcommand{\footrulewidth}{0pt} % Remove footer line \renewcommand{\headrulewidth}{0pt} % Remove header line \renewcommand{\seqinsert}{\ifmmode\allowbreak\else\-\fi} % Hyphens in seqsplit % This two commands together give roughly % the right line height in the tables \renewcommand{\arraystretch}{1.3} \onehalfspacing % Commands \newcommand{\SetRowColor}[1]{\noalign{\gdef\RowColorName{#1}}\rowcolor{\RowColorName}} % Shortcut for row colour \newcommand{\mymulticolumn}[3]{\multicolumn{#1}{>{\columncolor{\RowColorName}}#2}{#3}} % For coloured multi-cols \newcolumntype{x}[1]{>{\raggedright}p{#1}} % New column types for ragged-right paragraph columns \newcommand{\tn}{\tabularnewline} % Required as custom column type in use % Font and Colours \definecolor{HeadBackground}{HTML}{333333} \definecolor{FootBackground}{HTML}{666666} \definecolor{TextColor}{HTML}{333333} \definecolor{DarkBackground}{HTML}{918027} \definecolor{LightBackground}{HTML}{F8F7F1} \renewcommand{\familydefault}{\sfdefault} \color{TextColor} % Header and Footer \pagestyle{fancy} \fancyhead{} % Set header to blank \fancyfoot{} % Set footer to blank \fancyhead[L]{ \noindent \begin{multicols}{3} \begin{tabulary}{5.8cm}{C} \SetRowColor{DarkBackground} \vspace{-7pt} {\parbox{\dimexpr\textwidth-2\fboxsep\relax}{\noindent \hspace*{-6pt}\includegraphics[width=5.8cm]{/web/www.cheatography.com/public/images/cheatography_logo.pdf}} } \end{tabulary} \columnbreak \begin{tabulary}{11cm}{L} \vspace{-2pt}\large{\bf{\textcolor{DarkBackground}{\textrm{Database Fingerprinting Cheat Sheet}}}} \\ \normalsize{by \textcolor{DarkBackground}{binca} via \textcolor{DarkBackground}{\uline{cheatography.com/44948/cs/13351/}}} \end{tabulary} \end{multicols}} \fancyfoot[L]{ \footnotesize \noindent \begin{multicols}{3} \begin{tabulary}{5.8cm}{LL} \SetRowColor{FootBackground} \mymulticolumn{2}{p{5.377cm}}{\bf\textcolor{white}{Cheatographer}} \\ \vspace{-2pt}binca \\ \uline{cheatography.com/binca} \\ \end{tabulary} \vfill \columnbreak \begin{tabulary}{5.8cm}{L} \SetRowColor{FootBackground} \mymulticolumn{1}{p{5.377cm}}{\bf\textcolor{white}{Cheat Sheet}} \\ \vspace{-2pt}Not Yet Published.\\ Updated 9th November, 2017.\\ Page {\thepage} of \pageref{LastPage}. \end{tabulary} \vfill \columnbreak \begin{tabulary}{5.8cm}{L} \SetRowColor{FootBackground} \mymulticolumn{1}{p{5.377cm}}{\bf\textcolor{white}{Sponsor}} \\ \SetRowColor{white} \vspace{-5pt} %\includegraphics[width=48px,height=48px]{dave.jpeg} Measure your website readability!\\ www.readability-score.com \end{tabulary} \end{multicols}} \begin{document} \raggedright \raggedcolumns % Set font size to small. Switch to any value % from this page to resize cheat sheet text: % www.emerson.emory.edu/services/latex/latex_169.html \footnotesize % Small font. \begin{multicols*}{2} \begin{tabularx}{8.4cm}{X} \SetRowColor{DarkBackground} \mymulticolumn{1}{x{8.4cm}}{\bf\textcolor{white}{Purpose}} \tn % Row 0 \SetRowColor{LightBackground} \mymulticolumn{1}{x{8.4cm}}{Determine type of backend DB to guide injection crafting, sometimes an educated guess based on information and configuration reconnaissance or error messages.} \tn % Row Count 4 (+ 4) % Row 1 \SetRowColor{white} \mymulticolumn{1}{x{8.4cm}}{Use special function parameters such as {\bf{SELECT @@ version}} (MySQL and SQL Server)} \tn % Row Count 6 (+ 2) % Row 2 \SetRowColor{LightBackground} \mymulticolumn{1}{x{8.4cm}}{Unique numeric functions: \{\{nl\}\} MySQL - connnection\_id() \{\{nl\}\} MSSQL - @@pack\_received \{\{nl\}\} Oracle - BITAND(1,1)} \tn % Row Count 9 (+ 3) \hhline{>{\arrayrulecolor{DarkBackground}}-} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{8.4cm}{X} \SetRowColor{DarkBackground} \mymulticolumn{1}{x{8.4cm}}{\bf\textcolor{white}{(Meta) Database Information}} \tn % Row 0 \SetRowColor{LightBackground} \mymulticolumn{1}{x{8.4cm}}{The RDBMS being used will affect metadata and schema information, which will be used to determine tables, columns, users and passwords} \tn % Row Count 3 (+ 3) % Row 1 \SetRowColor{white} \mymulticolumn{1}{x{8.4cm}}{{\bf{information\_schema}} is an ANSI SQL92 standard database that can provide us with relevant metadata negating the need for fingerprinting, though implementations vary.} \tn % Row Count 7 (+ 4) % Row 2 \SetRowColor{LightBackground} \mymulticolumn{1}{x{8.4cm}}{{\bf{MySQL's}} information\_schema includes information for every DB, while {\bf{MSSQL}} only shows information for the current DB.} \tn % Row Count 10 (+ 3) % Row 3 \SetRowColor{white} \mymulticolumn{1}{x{8.4cm}}{{\bf{Oracle, DB2, and SQLite}} do {\bf{NOT}} support information\_schema.} \tn % Row Count 12 (+ 2) \hhline{>{\arrayrulecolor{DarkBackground}}-} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{8.4cm}{x{1.224 cm} x{1.944 cm} x{2.016 cm} x{2.016 cm} } \SetRowColor{DarkBackground} \mymulticolumn{4}{x{8.4cm}}{\bf\textcolor{white}{information\_schema Databases}} \tn % Row 0 \SetRowColor{LightBackground} {\bf{RDBMS}} & {\bf{Databases}} & {\bf{Tables}} & {\bf{Columns}} \tn % Row Count 2 (+ 2) % Row 1 \SetRowColor{white} MySQL & \seqsplit{schema\_name} FROM \seqsplit{information\_schema}.schemata & \seqsplit{table\_name} FROM \seqsplit{informaton\_schema}.tables & \seqsplit{column\_name} FROM \seqsplit{information\_schema}.columns \tn % Row Count 7 (+ 5) % Row 2 \SetRowColor{LightBackground} SQL \seqsplit{Server} or Azure SQL* & name FROM \seqsplit{sys.databases} & name FROM sys.tables & name FROM \seqsplit{sys.columns} \tn % Row Count 11 (+ 4) % Row 3 \SetRowColor{white} \seqsplit{Oracle} DB & \seqsplit{**...owner} FROM \seqsplit{all\_tables} & \seqsplit{table\_name} FROM \seqsplit{all\_tables} & \seqsplit{column\_name} FROM \seqsplit{all\_tab\_columns} \tn % Row Count 14 (+ 3) \hhline{>{\arrayrulecolor{DarkBackground}}----} \SetRowColor{LightBackground} \mymulticolumn{4}{x{8.4cm}}{*Deprecated syntax master..sysobjects system tables} \tn \hhline{>{\arrayrulecolor{DarkBackground}}----} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{8.4cm}{X} \SetRowColor{DarkBackground} \mymulticolumn{1}{x{8.4cm}}{\bf\textcolor{white}{Exploiting In-Band/In-line SQLi}} \tn % Row 0 \SetRowColor{LightBackground} \mymulticolumn{1}{x{8.4cm}}{With a SELECT query we can see all data contained in columns employed, but we are confined to the table the query SELECTs FROM.} \tn % Row Count 3 (+ 3) % Row 1 \SetRowColor{white} \mymulticolumn{1}{x{8.4cm}}{To see beyond the current table we can use {\bf{Stacked Queries}} if they are supported.} \tn % Row Count 5 (+ 2) % Row 2 \SetRowColor{LightBackground} \mymulticolumn{1}{x{8.4cm}}{{\bf{Stacked Queries}} are multiple SQL queries submitted by splitting them with a {\bf{;}}.} \tn % Row Count 7 (+ 2) % Row 3 \SetRowColor{white} \mymulticolumn{1}{x{8.4cm}}{Example: {\bf{SELECT * FROM Users WHERE lname='John'; CREATE TABLE exfil(data varchar(1000));-{}-';}}} \tn % Row Count 9 (+ 2) % Row 4 \SetRowColor{LightBackground} \mymulticolumn{1}{x{8.4cm}}{Most often support with {\bf{MSSQL}}.} \tn % Row Count 10 (+ 1) % Row 5 \SetRowColor{white} \mymulticolumn{1}{x{8.4cm}}{{\bf{MySQL}} support is complicated because will the DB supports it the way the app interfaces with MySQL limiting the abilities.} \tn % Row Count 13 (+ 3) % Row 6 \SetRowColor{LightBackground} \mymulticolumn{1}{x{8.4cm}}{{\bf{Oracle}} does NOT support Stacked Queries.} \tn % Row Count 14 (+ 1) % Row 7 \SetRowColor{white} \mymulticolumn{1}{x{8.4cm}}{Stacked Queries are not required for data retrieval/exfiltration but make it easier.} \tn % Row Count 16 (+ 2) % Row 8 \SetRowColor{LightBackground} \mymulticolumn{1}{x{8.4cm}}{Stacked Queries are important when we want to do more than SELECT. Enables us to do {\bf{INSERTs, UPDATEs, DROPs, SHUTDOWNs}} with ease.} \tn % Row Count 19 (+ 3) \hhline{>{\arrayrulecolor{DarkBackground}}-} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{8.4cm}{X} \SetRowColor{DarkBackground} \mymulticolumn{1}{x{8.4cm}}{\bf\textcolor{white}{Unionizing SQLi}} \tn % Row 0 \SetRowColor{LightBackground} \mymulticolumn{1}{x{8.4cm}}{{\bf{UNION}} allows us to move beyond the confines of the table so we can access arbitrary data from the DB.} \tn % Row Count 3 (+ 3) % Row 1 \SetRowColor{white} \mymulticolumn{1}{x{8.4cm}}{Example: {\bf{SELECT * FROM Users WHERE lname='John' UNION SELECT * FROM Customers;-{}-';}}} \tn % Row Count 5 (+ 2) % Row 2 \SetRowColor{LightBackground} \mymulticolumn{1}{x{8.4cm}}{{\bf{Prerequests: \{\{nl\}\} \# of columns being pulled must match in the original and injected SELECT \{\{nl\}\} Column data must be compatible \{\{nl\}\} Know table names to target}}} \tn % Row Count 9 (+ 4) \hhline{>{\arrayrulecolor{DarkBackground}}-} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{8.4cm}{X} \SetRowColor{DarkBackground} \mymulticolumn{1}{x{8.4cm}}{\bf\textcolor{white}{FROMless SELECT}} \tn % Row 0 \SetRowColor{LightBackground} \mymulticolumn{1}{x{8.4cm}}{{\bf{SELECT}} Statements do {\bf{NOT}} require an associated {\bf{FROM}}} \tn % Row Count 2 (+ 2) % Row 1 \SetRowColor{white} \mymulticolumn{1}{x{8.4cm}}{When the FROM is left out the result is an interpreted form of the supplied input.} \tn % Row Count 4 (+ 2) % Row 2 \SetRowColor{LightBackground} \mymulticolumn{1}{x{8.4cm}}{SELECT 1; -{}- returns 1} \tn % Row Count 5 (+ 1) % Row 3 \SetRowColor{white} \mymulticolumn{1}{x{8.4cm}}{{\bf{ORACLE DB}} requires {\bf{FROM}} for all {\bf{SELECT}} statements but provides a built-in {\bf{DUAL}} table that acts as a dumby} \tn % Row Count 8 (+ 3) \hhline{>{\arrayrulecolor{DarkBackground}}-} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{8.4cm}{X} \SetRowColor{DarkBackground} \mymulticolumn{1}{x{8.4cm}}{\bf\textcolor{white}{NULL}} \tn % Row 0 \SetRowColor{LightBackground} \mymulticolumn{1}{x{8.4cm}}{{\bf{NULL}} is compatible with any data type.} \tn % Row Count 1 (+ 1) % Row 1 \SetRowColor{white} \mymulticolumn{1}{x{8.4cm}}{Couple with FROMless SELECT with NULL to prevent mismatch of data types.} \tn % Row Count 3 (+ 2) \hhline{>{\arrayrulecolor{DarkBackground}}-} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{8.4cm}{X} \SetRowColor{DarkBackground} \mymulticolumn{1}{x{8.4cm}}{\bf\textcolor{white}{UNION and NULL}} \tn % Row 0 \SetRowColor{LightBackground} \mymulticolumn{1}{x{8.4cm}}{Use {\bf{NULL}} with {\bf{UNION SELECT}} to determine number of columns by increasing the number of NULLs until an error is presented.} \tn % Row Count 3 (+ 3) % Row 1 \SetRowColor{white} \mymulticolumn{1}{x{8.4cm}}{Example: {\bf{SELECT * FROM Users WHERE lname='John' UNION SELECT NULL, NULL, NULL;-{}-';}}} \tn % Row Count 5 (+ 2) % Row 2 \SetRowColor{LightBackground} \mymulticolumn{1}{x{8.4cm}}{This approach also works for {\bf{INSERT}} statements.} \tn % Row Count 7 (+ 2) \hhline{>{\arrayrulecolor{DarkBackground}}-} \SetRowColor{LightBackground} \mymulticolumn{1}{x{8.4cm}}{Note: Another method is to determine column numbers with an {\bf{ORDER BY}} clause.} \tn \hhline{>{\arrayrulecolor{DarkBackground}}-} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{8.4cm}{X} \SetRowColor{DarkBackground} \mymulticolumn{1}{x{8.4cm}}{\bf\textcolor{white}{Data Types}} \tn % Row 0 \SetRowColor{LightBackground} \mymulticolumn{1}{x{8.4cm}}{Require at least 1 column that accommodates strings to accept data we exfiltrate} \tn % Row Count 2 (+ 2) % Row 1 \SetRowColor{white} \mymulticolumn{1}{x{8.4cm}}{Tweak previous column number injection changing each NULL to a string until the query is successful.} \tn % Row Count 4 (+ 2) % Row 2 \SetRowColor{LightBackground} \mymulticolumn{1}{x{8.4cm}}{Example: {\bf{SELECT * FROM Users WHERE lname='John' UNION SELECT 'string', NULL, NULL;-{}-';}}} \tn % Row Count 6 (+ 2) \hhline{>{\arrayrulecolor{DarkBackground}}-} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{8.4cm}{X} \SetRowColor{DarkBackground} \mymulticolumn{1}{x{8.4cm}}{\bf\textcolor{white}{Data Exfiltration}} \tn % Row 0 \SetRowColor{LightBackground} \mymulticolumn{1}{x{8.4cm}}{Using {\bf{UNION}} and having establish the number of columns and at least one column that accepts strings we can iterate through all columns of interesting tables to return data.} \tn % Row Count 4 (+ 4) % Row 1 \SetRowColor{white} \mymulticolumn{1}{x{8.4cm}}{{\bf{Blind}} data exfiltration is the same approach as UNION but encumbered by having to use inference techniques.} \tn % Row Count 7 (+ 3) % Row 2 \SetRowColor{LightBackground} \mymulticolumn{1}{x{8.4cm}}{Tools make this more efficient and in the case of blind data exfiltration make it easier.} \tn % Row Count 9 (+ 2) \hhline{>{\arrayrulecolor{DarkBackground}}-} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{8.4cm}{X} \SetRowColor{DarkBackground} \mymulticolumn{1}{x{8.4cm}}{\bf\textcolor{white}{SQLi Potential attacks}} \tn % Row 0 \SetRowColor{LightBackground} \mymulticolumn{1}{x{8.4cm}}{While data exfiltration is the most commonly performed exploit again SQLi flaws in some cases the data holds little value. Attackers can still perform other attacks.} \tn % Row Count 4 (+ 4) % Row 1 \SetRowColor{white} \mymulticolumn{1}{x{8.4cm}}{Deleting or altering valuable data.} \tn % Row Count 5 (+ 1) % Row 2 \SetRowColor{LightBackground} \mymulticolumn{1}{x{8.4cm}}{Injecting data used as stored XSS payloads} \tn % Row Count 6 (+ 1) % Row 3 \SetRowColor{white} \mymulticolumn{1}{x{8.4cm}}{Reading files \{\{nl\}\} {\bf{MySQL - LOAD\_FILE()}} \{\{nl\}\} {\bf{SQL Server BULK INSERT}}} \tn % Row Count 8 (+ 2) % Row 4 \SetRowColor{LightBackground} \mymulticolumn{1}{x{8.4cm}}{Writing files {\bf{MySQL - INTO OUTFILE}}} \tn % Row Count 9 (+ 1) % Row 5 \SetRowColor{white} \mymulticolumn{1}{x{8.4cm}}{OS interaction beyond files because stored procedures used to interact with the OS may be on the DB} \tn % Row Count 11 (+ 2) \hhline{>{\arrayrulecolor{DarkBackground}}-} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{8.4cm}{X} \SetRowColor{DarkBackground} \mymulticolumn{1}{x{8.4cm}}{\bf\textcolor{white}{SQLi Shell Access}} \tn % Row 0 \SetRowColor{LightBackground} \mymulticolumn{1}{x{8.4cm}}{Writing files can be used to achieve interactive shells (file writing similar to file uploading)} \tn % Row Count 2 (+ 2) % Row 1 \SetRowColor{white} \mymulticolumn{1}{x{8.4cm}}{{\bf{Requirements: \{\{nl\}\} DB server also running web server \{\{nl\}\} DB account needs privileges to write to web root \{\{nl\}\} Have the ability to browse web root}}} \tn % Row Count 6 (+ 4) % Row 2 \SetRowColor{LightBackground} \mymulticolumn{1}{x{8.4cm}}{Alternative approaches require {\bf{Stacked Queries}}.} \tn % Row Count 8 (+ 2) % Row 3 \SetRowColor{white} \mymulticolumn{1}{x{8.4cm}}{More viable during internal penetration test or in a pivoted SQLi.} \tn % Row Count 10 (+ 2) \hhline{>{\arrayrulecolor{DarkBackground}}-} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{8.4cm}{X} \SetRowColor{DarkBackground} \mymulticolumn{1}{x{8.4cm}}{\bf\textcolor{white}{SQLi Cheat Sheets}} \tn % Row 0 \SetRowColor{LightBackground} \mymulticolumn{1}{x{8.4cm}}{WebSec SQL Injection Knowledge Base \seqsplit{-https://websec.ca/kb/sql\_injection}} \tn % Row Count 2 (+ 2) % Row 1 \SetRowColor{white} \mymulticolumn{1}{x{8.4cm}}{pentestmonkey SQL Injection Cheat Sheet \seqsplit{-http://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet}} \tn % Row Count 5 (+ 3) % Row 2 \SetRowColor{LightBackground} \mymulticolumn{1}{x{8.4cm}}{SQL Injection Wiki Cheat Sheet \seqsplit{-http://www.sqlinjectionwiki.com/}} \tn % Row Count 7 (+ 2) % Row 3 \SetRowColor{white} \mymulticolumn{1}{x{8.4cm}}{Defensive: OWASP SQL Injection Prevention Cheat Sheet \seqsplit{-https://www.owasp.org/index.php/SQL\_Injection\_Prevention\_Cheat\_Sheet}} \tn % Row Count 10 (+ 3) \hhline{>{\arrayrulecolor{DarkBackground}}-} \end{tabularx} \par\addvspace{1.3em} % That's all folks \end{multicols*} \end{document}