SQL Injection Cheat Sheet - Yorumlar

Seagate

Seagate — Per, 04 Mar 2010 00:33:46 +0200

Vinnu where can I contact you for a job?

vinnu

vinnu — Sal, 16 Şub 2010 06:49:59 +0200

Jaijeya
Some tips about MS-Access (Jet database engine):

You should not insert comment characters as Jet db engine doesn't recognise them so avoid them in injection.
Instead you should try to inject the SQL in such a way that it satisfies the whole query.
In most cases the injection can be done in where or order by clauses so for example:
if query is like: WHERE title LIKE '%<injectionhere>%'
Then do it like: WHERE title LIKE'%a' your SQL here WHERE name LIKE 'a%'
...Likewise.
To know rest of the query insert a single double quote " after a single quote ', in most cases it will reveal the part of query right from injection point.

It is possible to use other databases or files from query. This can also be helpful in enumerating the directory structure of the target server.
Also it is most probable that the server will be windows based if Jet db engine is there. In this case there exists a file called setuplog.txt which gets created right at the time of windows installation and it contains important information about server os and hardware, and it is compatible to be loaded in a query as a table:

'+union+select+1,File,Message,Line,Time,6,Tag,8,9,10,11+from+[TEXT;DATABASE=c:%5Cwindows;HDR=YES;FMT=Delimited].[setuplog.txt]'

eslimasec

eslimasec — Cmt, 13 Şub 2010 13:40:10 +0200

Dear Ferruh,

we developped a small tool to aid Webapptesting that includes many of your tricks, It can be find herehttp://wiki.eslimasec.com/esliwiki/ProjectsPost.

hope it is useful 4 u and ya readers.

best regards

vinnu

vinnu — Cum, 12 Şub 2010 11:22:46 +0200

In case of Oracle database server, when union doesn't work, then we can retrieve the desired results randomly. It helped me a lot in Penetrating into NASA.
Following type of injection will be helpful in such cases:

'or+1=utl_inaddr.get_host_address((SELECT+username+FROM+(SELECT+username+FROM+all_users+ORDER+BY+dbms_random.value)+WHERE+rownum=1))--

vinnu

vinnu — Cum, 12 Şub 2010 11:12:13 +0200

Also in case if u r just pairing single quotes, then u can easily ecape one of the single quote using a forward slash "\".
This will again break the SQL query and will inject the parameter as a SQL query.

mr.ots

mr.ots — Cum, 05 Şub 2010 03:30:28 +0200

waow.
this is not going to be a waste bookmark!
thanks

AK213

AK213 — Çar, 03 Şub 2010 11:03:56 +0200

Goooood

vinnu

vinnu — Per, 28 Oca 2010 10:50:02 +0200

@Brent Jenkins:
Well there is a case, when this check can be thwarted, check scenario:
There are atleast two input fields (mostly user/password) and the fields are bound to the maxlength, and the maxlength check is also implemented in server side script e.g. asp, php etc.
Noiw If u fill the first comming input with single quote ' (SQL meta) then, above script will try to pair up the single quotes.
Now if all the space is acquired by single quotes, then above listed script will try to pair up all the single quotes and this will obviously increase the size of input variable. Then if, the variable input is tripped, then it may lead to an unpaired single quotation mark, this will pair up with the second condition's first single quote and will make second condition as a string and the second input becomes a part of SQL script and making SQL injection feasible.
LOX (Legion Of Xtremers)INDIA

kai

kai — Cmt, 31 Eki 2009 18:33:38 +0200

this sql not working in .aspx login page. can anyone tell me sql injection to bypass .aspx login page.

kristofdpx

kristofdpx — Sal, 29 Eyl 2009 07:05:36 +0200

Stacked queries didn't work with PHP-MYSQL. Tested on PHP 5.2.1 and Mysql 5.0

jambo

jambo — Pzt, 27 Tem 2009 05:18:55 +0200

If this helps at all, follow this link to a page I posted with some programming help against those SQL Injection attacks!
Hey. Thanks for the tutorial. It is very complete.

bugman

bugman — Per, 02 Tem 2009 19:14:51 +0200

All the listed cases are true only for those lames who still use concatenation of user-driven datum to SQL code instead of parameters-binding mechanism

milon

milon — Çar, 01 Tem 2009 13:50:44 +0200

hello
any one can give me an example how to apply SQL injection in website details.

Kyo

Kyo — Per, 26 Mar 2009 15:14:16 +0200

I've got a little tool for generating CHAR() and hex codes for SQL injections if magic quotes is enabled here:

http://wocares.com/noquote.php

just check SQL Injection

zniko07

zniko07 — Per, 05 Mar 2009 01:16:33 +0200

' OR 1=1--
oh i tried to sql inject your comments but it didn't worked! lol
i really liked your article!! it's great! thank you

dave roberts

dave roberts — Sal, 27 Oca 2009 18:53:37 +0200

Thanks so much for the document. Its simply awesome, i m successful

fLaSh

fLaSh — Çar, 31 Ara 2008 12:43:12 +0200

I really liked the cheatsheet. nice work!

Author of MySQLi Dumper

ketek90

ketek90 — Cmt, 27 Ara 2008 15:14:35 +0200

thanks... its very useful

IT Freak

IT Freak — Cum, 26 Ara 2008 11:33:47 +0200

Cool article. I hope some ppl don't misuse it though.

Tartaria

Tartaria — Per, 18 Ara 2008 06:55:21 +0200

Offten used

userInput.Replace("'", "''") only.

It is safe?

Svarga

Svarga — Çar, 10 Ara 2008 18:42:56 +0200

http://www.microsoft.com/technet/community/columns/secmvp/sv0907.mspx

Jakc

Jakc — Per, 04 Ara 2008 10:59:21 +0200

For ASP and SQL Server one resource is:http://msdn.microsoft.com/en-us/library/cc676512.aspx which explains how to use parametrized queries, which is useful to avoid unintended queries (comments don't work inside parameters, for example).

Keral Patel

Keral Patel — Pzt, 01 Ara 2008 12:14:21 +0200

I really liked the cheatsheet. Very helpful.

JSHAW

JSHAW — Çar, 19 Kas 2008 03:56:44 +0200

good refference for sure.

Soaica Mircea

Soaica Mircea — Sal, 18 Kas 2008 18:13:23 +0200

Hey. Thanks for the tutorial. It is very complete.

Soheal Qasas

Soheal Qasas — Sal, 07 Eki 2008 01:23:09 +0200

Thanks very much for this very very useful tutorial !!

i have a question :
is it possible to stack queries in (JSP & Oracle) ?
if not (i mean if we can not attack using update,delete,insert and drop statements) why to be afraid of Sql injection in JSP & Oracle ??
Does this mean that JSP & Oracle are the best tools to make web applications ??

if (JSP & Oracle) support stacked queries, would you show me please how ?
Thanks

Brent Jenkins

Brent Jenkins — Pzt, 22 Eyl 2008 23:55:47 +0200

I have a situation where I must use embedded sql only.
That means NO store procedures, parameterized queries, etc are allowed - period.
In other words, my hands are tied!
Anyhow, I wrote this routine to prevent SQL Injection.
I think this routine is bullet proof.
Can anybody break it?

Function getSafeValue(ByVal userInput As String) As String

userInput = Trim(userInput)
userInput = userInput.Replace("'", "''")
userInput = userInput.Replace("""", "''")
Return IIf(userInput = "", "NULL", "'" & userInput & "'")

End Function

spl0it

spl0it — Sal, 22 Tem 2008 18:17:51 +0200

We recently came across an interesting attack and we've posted a link to your article, the sample attack, the solution and some suggested tips.

Please see the article at:
http://www.rtraction.com/blog/devit/sql-injection-hack-using-cast.html

Amir Segal

Amir Segal — Çar, 11 Haz 2008 22:20:25 +0200

Hello programmers,

If this helps at all, follow this link to a page I posted with some programming help against those SQL Injection attacks!

http://www.cheergallery.com/SQLInjectionHelp.html

thanks,Amir Segal,Programmer

StelK

StelK — Per, 22 May 2008 18:10:39 +0200

As far as i know, all the special characters are deleted before posting a query in every decent site. And i think someone can't make SQL injection without () paranthesis. So is this injection stuff really works in the real world? is there a way to make it work?

In every decent site user input should be filtered... but from my experience I know that only 60% are decent from this point of view

kureta

kureta — Cum, 21 Mar 2008 13:58:26 +0200

SQL injection konusunda hep merak ettigim birsey var. Bildigim kadariyla akli basinda tüm sitelerde özel karakterler silinip metin öyle yollaniyor. bazi isaretler için ascii kodu falan kullanilabilir ama parantez() olmadan SQL injection yapilamaz herhalde. O yüzden SQL injection denilen olayin gerçekten de ise yaramasi mümkün mü acaba?
As far as i know, all the special characters are deleted before posting a query in every decent site. And i think someone can't make SQL injection without () paranthesis. So is this injection stuff really works in the real world? is there a way to make it work?

xp_cmdshell

xp_cmdshell — Pzt, 17 Ara 2007 01:45:55 +0200

i love this sp.
more than being a bug,
i use at every part of my program at customers.
e.g: for list of backup files, getting env vars... etc.
of course at 'sa'.
meanwhile, everyone I know uses 'sa' account

Thank you for sharing.

webmaster

webmaster — Cum, 19 Eki 2007 17:30:02 +0200

Thank you for sharing. This is the most "topic covering" article i've seen about SQL injections. Especially interested in Mysql. Will try to implement these technics inhttp://www.zubrag.com/tools/sql-injection-test.php

Ferruh Mavituna

Ferruh Mavituna — Sal, 09 Eki 2007 19:40:25 +0200

ORACLE SQL Injection Cheat Sheet :
https://ferruh.mavituna.com/makale/oracle-sql-injection-cheat-sheet/

Maligno

Maligno — Cmt, 06 Eki 2007 12:59:42 +0200

Hello,

we also do time-inference using heavy queries. We wrote an article about this in Microsoft Technet with examples for MSAccess and MSSQL but the method also running with Oracle and MySQL databases.

The article is published in this URL: "Time-Based Blind SQL Injection with Heavy Queries"

http://www.microsoft.com/technet/community/columns/secmvp/sv0907.mspx

Best regards.

daath

daath — Cum, 05 Eki 2007 02:15:15 +0200

Maybe this could help someone. I wrote a MS Access SQL Injection Cheat Sheet, you can find it here :
http://www.webapptest.org/ms-access-sql-injection-cheat-sheet-EN.html

yuli

yuli — Per, 30 Ağu 2007 19:42:36 +0200

If anybody is interested in protecting his own MySQL server here is an automatic solution: GreenSQL Open Source Database Firewall.

Please check the following url:http://www.greensql.net/

Asim

Asim — Paz, 26 Ağu 2007 10:55:31 +0200

Ferruh bey makalenin Türkçe sini dört gözle bekliyoruz,lütfen bi el atin, biraz vakit ayirin ,makaleyi Türkçe de yayinlayin

hipbii

hipbii — Cmt, 14 Tem 2007 11:58:52 +0200

i have come across an error upon a site and i am try to use sql injects to get into the site but i cant seem to figure it out, i am still new to php so i am not quite sure how to follow the info above these messages. the error i have come across is
Warning: mysql_connect() [function.mysql-connect]: Access denied for user 'cotygame_coty'@'localhost' (using password: YES) in /home/truepimp/public_html/lostpass.php on line 47
Could not connect to database

if anyone can help me email me at hipbii@gmail.com

pentestmonkey

pentestmonkey — Paz, 08 Tem 2007 21:50:53 +0200

... and if you're interested in IBM DB2 you're welcome to use the following notes:
http://pentestmonkey.net/blog/db2-sql-injection-cheat-sheet/

pentestmonkey

pentestmonkey — Cmt, 07 Tem 2007 12:40:54 +0200

Great cheat sheet, Ferruh.

I made some notes on Ingres SQL injection at:
http://pentestmonkey.net/blog/ingres-sql-injection-cheat-sheet/

Feel free to incorporate them into yours.

lovexysky

lovexysky — Sal, 03 Tem 2007 10:22:58 +0200

I like it ,thanks!

Pete Freitag

Pete Freitag — Pzt, 25 Haz 2007 18:58:15 +0200

Stacked Queries are indeed supported in java on PostgreSQL and MS SQL Server. MySQL's JDBC driver has a setting to allow them, but it is turned off by default.

h4ckinger

h4ckinger — Cmt, 23 Haz 2007 19:16:09 +0200

Ferruh bey keske Türkçe si de olsaydi ne güzel olurdu

Tr4c3

Tr4c3 — Cum, 22 Haz 2007 00:34:00 +0200

SELECT name FROM syscolumns WHERE id =(SELECT id FROM sysobjects WHERE name = 'tablenameforcolumnnames')

lol. It can be writen like this

select col_name(object_id('tablenameforcolumnnames'),n)

bootcat

bootcat — Sal, 12 Haz 2007 18:20:56 +0200

Nice collection

Nobody

Nobody — Cum, 08 Haz 2007 19:31:40 +0200

In Perl, you should be safe if you use $dbh->quote().

r00tme

r00tme — Paz, 29 Nis 2007 04:20:49 +0200

by far the best cheatsheet ive seen around...
but its a shame you havent post .pdf or an easy-printable version

Cemil Durgan

Cemil Durgan — Per, 19 Nis 2007 15:20:47 +0200

Thanks...

fadfsd

fadfsd — Paz, 15 Nis 2007 17:55:23 +0200

is there any information about mysql5 injection, and user is not root(can't loadfile &read mysql.user)

Tankado

Tankado — Cmt, 14 Nis 2007 21:44:42 +0200

Ferruh satislarda, ülkeden de ayrildi zaten.

Ferruh Mavituna

Ferruh Mavituna — Cum, 13 Nis 2007 14:34:16 +0200

yurtdisina açildiniz sanirim ferruh bey, artik dökümanlari ingilizce yaziyorsunuz
keske türkçeside olsa...

Japoncasini yayinladik :http://www.byakuya-shobo.co.jp/hj/2007_05_SQLcheat.html insallah yakinda Turkcesi de olur

ynlzbn

ynlzbn — Cum, 13 Nis 2007 14:28:51 +0200

yurtdisina açildiniz sanirim ferruh bey, artik dökümanlari ingilizce yaziyorsunuz
keske türkçeside olsa...

l0cus

l0cus — Paz, 25 Mar 2007 19:12:19 +0200

Good article.

TC

TC — Paz, 18 Mar 2007 11:44:27 +0200

Very thorough. Good work!

originalgeek

originalgeek — Paz, 18 Mar 2007 10:46:18 +0200

In Perl, I run all my form fields through this. AFAIK, it mitigates SQL injection, I/O redirection and command launching attacks. Note this version also removes all white space from the input, so caveat emptor.

sub sanitize
{
my ($s) = @_;

$s =~ tr/\%\+\=\&\`\'\"\|\*\?\~\<\>\^\[\]\{\}\$\n\r\\\0\x20\.\,\!\@\#\;\///d;
return($s);
}

Philip Arthur Moore

Philip Arthur Moore — Cmt, 17 Mar 2007 22:45:40 +0200

This is excellent! Thank you very much for this tutorial.

Brandon

Brandon — Cmt, 17 Mar 2007 20:11:45 +0200

Just in case anyone wants to know how to prevent these, these are easily avoidable with php/mysql using mysql_real_escape_string

warren henning

warren henning — Cmt, 17 Mar 2007 13:45:39 +0200

i am so adding this to my bookmarks.

JOKERz

JOKERz — Cum, 16 Mar 2007 14:35:55 +0200

great tutorial dude!!!

hardik

hardik — Cum, 16 Mar 2007 07:35:02 +0200

hi,

good work.a better way is to provide the PDF of this page