background preloader

SQLi

Facebook Twitter

Bobby-tables.com: A guide to preventing SQL injection. SQLite3 Injection Cheat Sheet - ~/haxing. Introduction A few months ago I found an SQL injection vulnerability in an enterprisey webapp's help system.

SQLite3 Injection Cheat Sheet - ~/haxing

Turns out this was stored in a separate database - in SQLite. I had a Google around and could find very little information about exploiting SQLI with SQLite as the backend.. so I went on a hunt, and found some neat tricks. This is almost entirely applicable only to webapps using SQLite - other implementations (in Adobe, Android, Firefox etc) largely don't support the tricks below. Cheat Sheet For some reason, 4x double quotes turns into a single double quote. Getting Shell Trick 1 - ATTACH DATABASE What it says on the tin - lets you attach another database for your querying pleasure. ? Then of course you can just visit lol.php? Getting Shell Trick 2 - SELECT load_extension Takes two arguments: A library (.dll for Windows, .so for NIX)An entry point (SQLITE_EXTENSION_INIT1 by default)This is great because Unfortunately, this component of SQLite is disabled in the libraries by default. ? Sqlcake v.1.1 Released. Mod_security 2.6.5 SQLi bypass. Oracle SQL Injection Cheat Sheet.

Some useful syntax reminders for SQL Injection into Oracle databases… This post is part of a series of SQL Injection Cheat Sheets.

Oracle SQL Injection Cheat Sheet

In this series, I’ve endevoured to tabulate the data to make it easier to read and to use the same table for for each database backend. This helps to highlight any features which are lacking for each database, and enumeration techniques that don’t apply and also areas that I haven’t got round to researching yet. The complete list of SQL Injection Cheat Sheets I’m working is: I’m not planning to write one for MS Access, but there’s a great MS Access Cheat Sheet here. Some of the queries in the table below can only be run by an admin. Misc Tips In no particular order, here are some suggestions from pentestmonkey readers. From Christian Mehlmauer: Tags: cheatsheet, database, oracle, pentest, sqlinjection. Sqlsus version 0.7.2. FatCat-SQL-Injector-.zip - fatcat-sql-injector - FatCat SQL Injector - FatCat SQL Injector.

The Mole – Automatic SQL Injection SQLi Exploitation Tool. The Mole is an automatic SQL Injection exploitation tool.

The Mole – Automatic SQL Injection SQLi Exploitation Tool

Only by providing a vulnerable URL and a valid string on the site it can detect the injection and exploit it, either by using the union technique or a boolean query based technique. Features Support for injections using Mysql, SQL Server, Postgres and Oracle databases. Command line interface. Different commands trigger different actions. If you want to know how to use The Mole there’s a good tutorial here. You can download The Mole here: Windows: themole-0.2.6-win32.zip Linux: themole-0.2.6-lin-src.tar.gz. ISR SQLGet - RDot. Имхо, стоит иметь подобную вещь у себя, ISR SQLGet - blind SQL injection tool, написанная на перле, из особенностей можно отметить список поддерживаемых бд: - IBM DB2 - Microsoft SQL Server - Oracle - Postgres - Mysql - IBM Informix - Sybase - Hsqldb (www.hsqldb.org) - Mimer (www.mimer.com) - Pervasive (www.pervasive.com) - Virtuoso (virtuoso.openlinksw.com) - SQLite - Interbase/Yaffil/Firebird (Borland) - H2 ( - Mckoi ( - Ingres ( - MonetDB ( - MaxDB (www.mysql.com/products/maxdb/) - ThinkSQL ( - SQLBase ( Evasion features: - Full-width/Half-width Unicode encoding - Apache non standard CR bypass - mod_security bypass - Random uppercase request transform - PHP Magicquotes: encode every string using db CHR function or similar. - Convert requests to hexadecimal values - Avoid non-space replacing for /**/ or (\t) tab - Avoid non || or + concatenation using db concat function or similar. - Random user-agent - Random proxy-server - Random delay request Скачать.

ISR SQLGet - RDot

Sqlmap: