Difference between revisions of "SQL Injection Cookbook template"

From OWASP
Jump to: navigation, search
(Reverting to last version not containing links to www.textbocdartac4tc.com)
 
(23 intermediate revisions by 2 users not shown)
Line 1: Line 1:
 
__TOC__
 
__TOC__
=Reconnaissance=
+
=Database objects=
==Meta-data==
+
==Tables==
Data about data
+
===List table names===
===List of table names===
+
===List columns for a specific table===
How to get a list of table names
+
===View table permissions===
===List of columns for a specific table===
+
===Change table permissions===
===Information about the indexes of a specific table===
+
===Create a table===
==Stored Procedures==
+
 
===List of stored procedures===
+
==Stored procedures or functions==
===Parameters for stored procedures===
+
===List stored procedures or functions===
===Source code of stored procedures===
+
===Parameters for a stored procedure or function===
==System data==
+
===Source code of a stored procedure or function===
 +
===Create a stored procedure or function===
 +
 
 +
 
 +
=System data=
 +
==Users==
 +
===Identify current user===
 
===List of database users===
 
===List of database users===
 +
===List of database administrators===
 
===Database user permissions===
 
===Database user permissions===
===Database server settings===
+
===Create a new user===
 +
===Change a user password===
 +
===Delete a user===
 +
 
 +
==Database server==
 +
===View database server settings===
 +
===Change database server settings===
 +
===View database server processes===
 +
===Kill database server process===
 +
 
 +
==Host Operating System==
 
===Operating System version===
 
===Operating System version===
 
===OS environment variables===
 
===OS environment variables===
 +
===Execute OS shell command===
 +
===Read file contents===
 +
===Arbitrary file writes===
 +
===File uploads===
 +
 +
 +
=Queries=
 +
==Strings==
 +
===Valid string delimiters===
 +
===String concatenation===
 +
===String-based queries with no quote characters===
 +
 +
==Query syntax==
 +
===Result row count limiters===
 +
===Acceptable whitespace===
 +
===Tableless queries===
 +
===Query comments===
 +
===Command delimiters===
 +
===Set operators===
 +
Set operators are used to combine the results from two different queries. The number of columns and order of column types must be identical for both queries. The general syntax is
 +
 +
  SELECT
 +
    fname, lname
 +
  FROM
 +
    employees
 +
  '''''SET_OPERATOR'''''
 +
  SELECT
 +
    fname, lname
 +
  FROM
 +
    customers
 +
 +
==Special queries==
 +
===Single column queries===
 +
===Single row queries===
 +
 +
==Functions, etc.==
 +
===Data type casting===
 +
===Query output to file===
 +
 +
=Attacks=
 +
==Breaking out of a query==
 +
===WHERE clauses===
 +
===FROM clauses===
 +
===Other parts of a SELECT===
 +
===INSERT statements===
 +
===UPDATE statements===
 +
 +
==Inference and timing attacks==
 +
==SQL Tautologies==
 +
A tautology is something that is inherently true. SQL tautologies are used when you want to force a query to return all results, basically ignoring any WHERE conditionals. Simple tautologies like " OR 1=1" are useful, but may be filtered out by some security tools. The table below offers a number of tautologies that filter writers (even on well known commercial tools) may not have considered. 
 +
{| style="width:75%;" border="1" cellspacing="0" cellpadding="5"
 +
! width="55%"|Statement
 +
! width="15%"|Numeric
 +
(1 = 1)
 +
! width="15%"|String
 +
('a' = 'a')
 +
! width="15%"|Binary
 +
(0x1 = 0x1)
 +
|-
 +
| '''''a''''' = '''''a'''''
 +
| align="center" | X
 +
| align="center" | X
 +
| align="center" | X
 +
|}
 +
 +
=Data exfiltration=
 +
==E-mail==
 +
==Web==
 +
==General network==
 +
  
=Query attacks & tricks=
+
=Platform specific=
==Data type casting==
+
==Unique database platform features==
==String-based queries with no quote characters==
+
==Authoritative documentation resources==
==SQL tautology attacks==
+
==Links==

Latest revision as of 13:28, 27 May 2009

Contents

Database objects

Tables

List table names

List columns for a specific table

View table permissions

Change table permissions

Create a table

Stored procedures or functions

List stored procedures or functions

Parameters for a stored procedure or function

Source code of a stored procedure or function

Create a stored procedure or function

System data

Users

Identify current user

List of database users

List of database administrators

Database user permissions

Create a new user

Change a user password

Delete a user

Database server

View database server settings

Change database server settings

View database server processes

Kill database server process

Host Operating System

Operating System version

OS environment variables

Execute OS shell command

Read file contents

Arbitrary file writes

File uploads

Queries

Strings

Valid string delimiters

String concatenation

String-based queries with no quote characters

Query syntax

Result row count limiters

Acceptable whitespace

Tableless queries

Query comments

Command delimiters

Set operators

Set operators are used to combine the results from two different queries. The number of columns and order of column types must be identical for both queries. The general syntax is

 SELECT
    fname, lname
 FROM 
    employees
 SET_OPERATOR
 SELECT
    fname, lname
 FROM
    customers

Special queries

Single column queries

Single row queries

Functions, etc.

Data type casting

Query output to file

Attacks

Breaking out of a query

WHERE clauses

FROM clauses

Other parts of a SELECT

INSERT statements

UPDATE statements

Inference and timing attacks

SQL Tautologies

A tautology is something that is inherently true. SQL tautologies are used when you want to force a query to return all results, basically ignoring any WHERE conditionals. Simple tautologies like " OR 1=1" are useful, but may be filtered out by some security tools. The table below offers a number of tautologies that filter writers (even on well known commercial tools) may not have considered.

Statement Numeric

(1 = 1)

String

('a' = 'a')

Binary

(0x1 = 0x1)

a = a X X X

Data exfiltration

E-mail

Web

General network

Platform specific

Unique database platform features

Authoritative documentation resources

Links