Injections SQL

Types d’injections


Comparatif des DBMS

Afficher la version de la base de données

DBMSCommande
OracleSELECT banner FROM v$version ou SELECT version FROM v$instance
Microsoft SQLSELECT @@version
PostgreSQLSELECT version()
MySQLSELECT @@version ou SELECT version()

Lister les bases de données

DBMSCommande
OracleSELECT name FROM v$database;
Microsoft SQLSELECT name FROM sys.databases;
PostgreSQLSELECT datname FROM pg_database;
MySQLSHOW DATABASES or SELECT schema_name FROM information_schema.schemata;

Lister les tables

DBMSCommande
OracleSELECT TABLE_NAME FROM all_tables
Microsoft SQLSELECT @@version
PostgreSQLSELECT version()
MySQLSELECT @@version ou SELECT version()

Lister les colonnes

DBMSCommande
OracleSELECT COLUMN_NAME FROM all_tab_columns WHERE table_name = $TABLE_NAME
Microsoft SQLSELECT COLUMN_NAME FROM information_schema.columns WHERE table_name = $TABLE_NAME
PostgreSQLSELECT COLUMN_NAME FROM information_schema.columns WHERE table_name = $TABLE_NAME
MySQLSELECT COLUMN_NAME FROM information_schema.columns WHERE table_name = $TABLE_NAME

Time Delay

DBMSCommande
Oracledbms_pipe.receive_message(('a'),10)
Microsoft SQLWAITFOR DELAY '0:0:10'
PostgreSQLSELECT pg_sleep(10)
MySQLSELECT SLEEP(10)

Commentaires

DBMSCommande
Oracle--comment
Microsoft SQL--comment ou /*comment*/
PostgreSQL--comment ou /*comment*/
MySQL-- comment (avec un espace après) ou /*comment*/ ou #comment